PT-2026-1636 · WordPress+1 · Piraeus Bank Woocommerce Payment Gateway+1
Published
2026-01-07
·
Updated
2026-01-07
·
CVE-2025-14460
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Piraeus Bank WooCommerce Payment Gateway plugin for WordPress versions through 3.1.4
Description
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is susceptible to unauthorized modification of order statuses. This is a result of lacking authorization checks within the payment callback endpoint handler when processing the 'fail' callback. An unauthenticated attacker can alter the status of any order to 'failed' by utilizing the WooCommerce API endpoint and providing the order ID (
MerchantReference parameter). Order IDs are sequential integers, making enumeration straightforward. This could lead to business disruption, including canceled shipments, inventory problems, and financial losses. The vulnerable API endpoint is '/wc/v3/orders/{order id}'.Recommendations
Versions prior to and including 3.1.4 should be updated.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Piraeus Bank Woocommerce Payment Gateway
Woocommerce