CVE-2025-14078 is a vulnerability classified under CWE-862 (Missing Authorization) found in the PAYGENT for WooCommerce plugin for WordPress, affecting all versions up to and including 2.4.6. The root cause is the absence of proper authorization checks in the paygent_check_webhook function. Specifically, the paygent_permission_callback function, which should verify the legitimacy of requests, unconditionally returns true, effectively disabling any authorization mechanism. This flaw allows unauthenticated attackers to send crafted HTTP requests to the `/wp-json/paygent/v1/check/` REST API endpoint, which is intended to process payment callbacks from the PAYGENT payment gateway. By exploiting this, attackers can forge payment notifications, leading to unauthorized modification of order statuses within the WooCommerce system. This manipulation can result in orders being marked as paid or completed without actual payment, undermining the integrity of the e-commerce transaction process. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a network attack vector with low complexity, no privileges required, and no user interaction needed. The impact is limited to integrity, with no direct confidentiality or availability effects. No patches or official fixes have been published at the time of this report, and no known exploits have been observed in the wild. The vulnerability is significant for merchants relying on PAYGENT for WooCommerce, as it compromises the trustworthiness of payment processing and order management.

For European organizations, especially e-commerce businesses using WooCommerce with the PAYGENT plugin, this vulnerability poses a risk of financial fraud through unauthorized order status manipulation. Attackers could mark unpaid orders as paid, leading to loss of revenue and potential chargebacks. This undermines customer trust and may cause operational disruptions in order fulfillment and accounting processes. The integrity breach could also complicate compliance with financial regulations such as GDPR, as inaccurate transaction records may affect audit trails. While the vulnerability does not directly expose customer data or disrupt service availability, the financial and reputational damage could be significant. Organizations relying on PAYGENT in countries with high WooCommerce adoption and active e-commerce markets are particularly vulnerable. The absence of authentication requirements and the ease of exploitation increase the likelihood of automated or targeted attacks. This threat also highlights the importance of securing webhook endpoints, which are often overlooked in security assessments.

Until an official patch is released, organizations should implement immediate compensating controls. These include restricting access to the `/wp-json/paygent/v1/check/` endpoint by IP whitelisting known PAYGENT server IP addresses or using firewall rules to block unauthorized sources. Adding custom authorization checks or token validation in the webhook handler can prevent unauthorized requests. Monitoring and logging all webhook activity for anomalies or unexpected order status changes is critical for early detection. Organizations should also review and tighten WooCommerce order management workflows to detect inconsistencies. Once a vendor patch is available, promptly update the PAYGENT plugin to the fixed version. Additionally, conduct a thorough audit of recent transactions to identify potential fraudulent modifications. Educate staff on the risk and ensure incident response plans include scenarios involving payment manipulation. Regularly review plugin security and maintain a strict update policy for all e-commerce components.