The PAYGENT for WooCommerce plugin, widely used to facilitate payment processing within WooCommerce-based WordPress e-commerce sites, contains a critical security flaw identified as CVE-2025-14078. This vulnerability is classified under CWE-862 (Missing Authorization) and affects all plugin versions up to and including 2.4.6. The root cause is the absence of proper authorization checks in the paygent_check_webhook function, which processes payment callback notifications. Additionally, the paygent_permission_callback function, responsible for verifying permissions, unconditionally returns true, effectively disabling any access control. As a result, attackers can send crafted HTTP requests to the REST API endpoint /wp-json/paygent/v1/check/ without authentication or user interaction. These forged payment notifications can manipulate order statuses, potentially marking unpaid orders as paid or altering other critical order information. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting medium severity, with an attack vector of network, low attack complexity, no privileges required, and no user interaction needed. While no exploits have been observed in the wild, the flaw presents a significant risk to the integrity of payment processing and order management in affected WooCommerce stores. The lack of authorization checks undermines the trustworthiness of payment callbacks, which are essential for accurate order fulfillment and financial reconciliation.

This vulnerability can lead to unauthorized modification of order statuses, allowing attackers to fraudulently mark orders as paid or alter payment states without completing actual transactions. This undermines the integrity of e-commerce operations, potentially causing financial losses, inventory mismanagement, and customer dissatisfaction. Attackers could exploit this flaw to bypass payment verification, resulting in revenue loss and increased chargebacks. Additionally, the manipulation of order data could disrupt business workflows and complicate auditing and compliance efforts. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, affecting any WooCommerce store using the PAYGENT plugin. The impact extends to customer trust and brand reputation, as fraudulent orders and payment discrepancies may erode confidence in the affected online stores.

To mitigate this vulnerability, organizations should immediately update the PAYGENT for WooCommerce plugin to a version that includes proper authorization checks once available from the vendor. In the absence of an official patch, administrators should restrict access to the REST API endpoint /wp-json/paygent/v1/check/ by implementing IP whitelisting to allow only trusted PAYGENT servers or payment gateways. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting this endpoint. Additionally, monitoring and alerting on unexpected order status changes can help detect exploitation attempts. Reviewing and hardening WordPress REST API permissions and disabling unused endpoints can reduce exposure. It is also advisable to audit payment logs regularly for anomalies and ensure that payment verification workflows include multiple validation steps beyond webhook callbacks. Finally, educating development and operations teams about secure coding practices related to authorization checks can prevent similar vulnerabilities in the future.