The vulnerability identified as CVE-2025-11890 affects the Crypto Payment Gateway with Payeer for WooCommerce plugin, a WordPress extension that facilitates cryptocurrency payments via the Payeer system. The root cause is a missing authorization check (CWE-862) in the plugin's server-side callback endpoint (/wc-api/bp-payeer-gateway-callback). This endpoint is responsible for updating order payment statuses based on payment confirmations. However, due to improper validation, unauthenticated attackers can send crafted requests to this endpoint to change the status of unpaid orders to paid without any legitimate payment verification. This bypasses the intended payment verification mechanism, allowing attackers to fraudulently mark orders as paid and potentially receive goods or services without payment. The vulnerability affects all versions up to and including 1.0.3. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to integrity (I:H) without affecting confidentiality or availability. No patches are currently linked, and no known exploits have been observed in the wild, but the flaw's nature makes it a significant risk for e-commerce merchants relying on this plugin for payment processing.

The primary impact of this vulnerability is financial loss due to fraudulent order fulfillment. Attackers can manipulate order statuses to appear paid without actual payment, leading to revenue loss and potential inventory depletion. This undermines the integrity of the payment process and damages merchant trust. Additionally, the vulnerability could facilitate further fraud schemes, such as reselling goods obtained through unauthorized orders. For organizations, this can result in direct monetary losses, reputational damage, and increased operational costs related to fraud investigation and remediation. The vulnerability also exposes weaknesses in payment processing security, which could be exploited in combination with other attacks. Since the flaw requires no authentication or user interaction and is exploitable remotely, the attack surface is broad, affecting any WooCommerce store using the vulnerable plugin version. This can disrupt business operations and erode customer confidence in online payment security.

Until an official patch is released, affected organizations should immediately disable the Crypto Payment Gateway with Payeer for WooCommerce plugin to prevent exploitation. Merchants should implement additional server-side validation for payment status updates, such as verifying payment confirmations directly with the Payeer API before marking orders as paid. Monitoring and alerting on unusual order status changes can help detect exploitation attempts early. Restricting access to the callback endpoint via IP whitelisting or web application firewall (WAF) rules can reduce exposure. Once a patch is available, promptly apply it and verify that authorization checks are correctly enforced. Additionally, merchants should review transaction logs regularly and reconcile payments to identify discrepancies. Educating staff about this vulnerability and encouraging vigilance in payment processing workflows will further reduce risk.