CVE-2025-14461

Name of the Vulnerable Software and Affected Versions Xendit Payment plugin for WordPress versions up to and including 6.0.2

Description The Xendit Payment plugin for WordPress is susceptible to unauthorized modification of order statuses. This occurs because the plugin exposes a publicly accessible WooCommerce API callback endpoint, /wc xendit callback, which processes payment callbacks without verifying the request's origin from Xendit's payment gateway. An unauthenticated attacker can send a crafted POST request to this endpoint with a JSON body containing an external id corresponding to an order ID and a status of 'PAID' or 'SETTLED'. Successful exploitation allows attackers to fraudulently mark orders as completed, potentially leading to financial loss and inventory depletion. The attacker needs to enumerate order IDs, which are sequential integers, to successfully exploit this issue.

Recommendations Update the Xendit Payment plugin to a version beyond 6.0.2.