Platform
wordpress
Component
woo-razorpay
Opgelost in
4.7.9
CVE-2025-14294 is a vulnerability affecting the Razorpay for WooCommerce plugin for WordPress. This issue allows unauthenticated attackers to modify the billing and shipping contact information (email and phone) of WooCommerce orders. The vulnerability exists in versions 0.0.0 through 4.7.8 and is fixed in version 4.7.9.
The core of the vulnerability lies in a missing capability check within the getCouponList() function. This function, responsible for retrieving coupon lists, lacks proper authentication, causing the checkAuthCredentials() permission callback to always return true. Consequently, any unauthenticated attacker who knows or can guess an order ID can manipulate the order's contact details. This could lead to fraudulent transactions, account takeovers, or the injection of malicious data into the WooCommerce system. The potential blast radius is significant, as it impacts all orders within the affected WooCommerce store.
This CVE was publicly disclosed on 2026-02-19. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's simplicity suggests it could be easily exploited. The lack of authentication makes it a relatively low-skill attack.
WooCommerce stores utilizing the Razorpay for WooCommerce plugin, particularly those running versions 0.0.0 through 4.7.8, are at risk. Shared hosting environments where plugin access is less controlled are especially vulnerable, as attackers may be able to exploit the vulnerability without direct access to the server.
• wordpress / composer / npm:
grep -r 'checkAuthCredentials' /var/www/html/wp-content/plugins/razorpay-for-woocommerce/• wordpress / composer / npm:
wp plugin list --status=all | grep razorpay• generic web:
curl -I https://your-wordpress-site.com/wp-json/razorpay/v1/coupons?order_id=123 # Replace 123 with a valid order IDdisclosure
Exploit Status
EPSS
0.21% (43% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to immediately upgrade the Razorpay for WooCommerce plugin to version 4.7.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the getCouponList() endpoint through a web application firewall (WAF) or proxy server. Specifically, block requests to this endpoint from unauthenticated users. Additionally, review WooCommerce order data for any suspicious modifications. After upgrading, confirm the fix by attempting to access the getCouponList() endpoint without authentication and verifying that access is denied.
Update naar versie 4.7.9, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14294 is a vulnerability in the Razorpay for WooCommerce plugin that allows unauthenticated attackers to modify WooCommerce order contact information due to a missing capability check.
You are affected if you are using Razorpay for WooCommerce versions 0.0.0 through 4.7.8. Upgrade to 4.7.9 or later to resolve the issue.
Upgrade the Razorpay for WooCommerce plugin to version 4.7.9 or later. As a temporary workaround, restrict access to the getCouponList() endpoint via a WAF.
There is currently no indication of active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the official Razorpay security advisory for details and updates: [https://razorpay.com/security/](https://razorpay.com/security/)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.