PT-2026-1756 · WordPress+1 · Japanized For Woocommerce+1
Published
2026-01-09
·
Updated
2026-01-09
·
CVE-2025-14886
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Japanized for WooCommerce versions up to and including 2.7.17
Description
The Japanized for WooCommerce plugin for WordPress is susceptible to unauthorized data modification. A missing capability check on the
order REST API endpoint allows unauthenticated attackers to modify the status of any WooCommerce order, potentially marking it as processed or completed. The vulnerable API endpoint is /order. The order resource is affected, allowing modification without proper authorization.Recommendations
Versions prior to and including 2.7.17 should be updated.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Japanized For Woocommerce
Woocommerce