CVE-2025-14078: CWE-862 Missing Authorization in shoheitanaka PAYGENT for WooCommerce
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint.
AI Analysis
Technical Summary
The PAYGENT for WooCommerce plugin suffers from a Missing Authorization vulnerability (CWE-862) due to the paygent_permission_callback function unconditionally returning true, which disables proper authorization checks on the paygent_check_webhook function. This flaw allows unauthenticated attackers to send forged payment notifications to the /wp-json/paygent/v1/check/ REST API endpoint, enabling them to alter order statuses without proper permissions. The vulnerability affects all versions up to and including 2.4.6.
Potential Impact
An attacker can manipulate payment callbacks by sending unauthorized forged notifications, resulting in the modification of order statuses without authentication. This could disrupt order processing and potentially cause financial or operational inconsistencies in affected WooCommerce stores using the PAYGENT plugin.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory for updates and consider disabling or restricting access to the /wp-json/paygent/v1/check/ endpoint until a fix is released. Implementing additional access controls or firewall rules to limit access to this endpoint may help mitigate exploitation risk.
CVE-2025-14078: CWE-862 Missing Authorization in shoheitanaka PAYGENT for WooCommerce
Description
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The PAYGENT for WooCommerce plugin suffers from a Missing Authorization vulnerability (CWE-862) due to the paygent_permission_callback function unconditionally returning true, which disables proper authorization checks on the paygent_check_webhook function. This flaw allows unauthenticated attackers to send forged payment notifications to the /wp-json/paygent/v1/check/ REST API endpoint, enabling them to alter order statuses without proper permissions. The vulnerability affects all versions up to and including 2.4.6.
Potential Impact
An attacker can manipulate payment callbacks by sending unauthorized forged notifications, resulting in the modification of order statuses without authentication. This could disrupt order processing and potentially cause financial or operational inconsistencies in affected WooCommerce stores using the PAYGENT plugin.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory for updates and consider disabling or restricting access to the /wp-json/paygent/v1/check/ endpoint until a fix is released. Implementing additional access controls or firewall rules to limit access to this endpoint may help mitigate exploitation risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-04T22:46:03.449Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696b47c6d302b072d9dc16e9
Added to database: 1/17/2026, 8:26:46 AM
Last enriched: 4/9/2026, 4:42:51 PM
Last updated: 5/10/2026, 10:48:45 AM
Views: 172
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.