The Revolut Gateway for WooCommerce plugin suffers from a missing capability check (CWE-862) on its /wc/v3/revolut REST API endpoint in all versions up to 4.17.3. This lack of authorization validation permits unauthenticated users to change order statuses to completed, potentially impacting order integrity. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity with network attack vector, no privileges required, and no user interaction needed. No patch or vendor advisory indicating remediation is currently available.

An attacker without authentication can modify order data by marking orders as completed, which could disrupt order processing workflows and cause business logic inconsistencies. There is no direct confidentiality or availability impact reported. The integrity of order status data is compromised.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the affected REST API endpoint through network controls or WordPress security plugins that can enforce authorization checks. Monitor for updates from the vendor regarding an official fix.