CVE-2025-14294

Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification

CVSS 5.3 MEDIUMEPSS 0.4%CWE-306

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

19 feb 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Productos afectados

razorpay · Razorpay for WooCommerce

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/api.php#L33 https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/auth.php#L7 https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/coupon-get.php#L58 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436262%40woo-razorpay&new=3436262%40woo-razorpay&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/163d42df-148f-431c-891e-dbdc09bf2ae1?source=cve