Platform
wordpress
Component
woo-razorpay
Fixed in
4.7.9
CVE-2025-14294 is a vulnerability affecting the Razorpay for WooCommerce plugin for WordPress. This issue allows unauthenticated attackers to modify the billing and shipping contact information (email and phone) of WooCommerce orders. The vulnerability exists in versions 0.0.0 through 4.7.8 and is fixed in version 4.7.9.
The core of the vulnerability lies in a missing capability check within the getCouponList() function. This function, responsible for retrieving coupon lists, lacks proper authentication, causing the checkAuthCredentials() permission callback to always return true. Consequently, any unauthenticated attacker who knows or can guess an order ID can manipulate the order's contact details. This could lead to fraudulent transactions, account takeovers, or the injection of malicious data into the WooCommerce system. The potential blast radius is significant, as it impacts all orders within the affected WooCommerce store.
This CVE was publicly disclosed on 2026-02-19. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's simplicity suggests it could be easily exploited. The lack of authentication makes it a relatively low-skill attack.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Razorpay for WooCommerce plugin to version 4.7.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the getCouponList() endpoint through a web application firewall (WAF) or proxy server. Specifically, block requests to this endpoint from unauthenticated users. Additionally, review WooCommerce order data for any suspicious modifications. After upgrading, confirm the fix by attempting to access the getCouponList() endpoint without authentication and verifying that access is denied.
Update to version 4.7.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14294 is a vulnerability in the Razorpay for WooCommerce plugin that allows unauthenticated attackers to modify WooCommerce order contact information due to a missing capability check.
You are affected if you are using Razorpay for WooCommerce versions 0.0.0 through 4.7.8. Upgrade to 4.7.9 or later to resolve the issue.
Upgrade the Razorpay for WooCommerce plugin to version 4.7.9 or later. As a temporary workaround, restrict access to the getCouponList() endpoint via a WAF.
There is currently no indication of active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the official Razorpay security advisory for details and updates: [https://razorpay.com/security/](https://razorpay.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.