The Wallet System for WooCommerce plugin, widely used to enable digital wallet functionalities such as Buy Now Pay Later (BNPL), instant cashback, referral programs, and subscription payments, suffers from a missing authorization vulnerability identified as CVE-2025-14450. The root cause is the absence of a capability check in the 'change_wallet_fund_request_status_callback' function, which handles wallet withdrawal request status changes. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and manipulate wallet balances arbitrarily. Specifically, attackers can increase their own wallet funds or reduce other users' balances without proper authorization. The vulnerability affects all versions up to and including 2.7.2. The CVSS v3.1 score is 6.5 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and only low privileges but no user interaction. The impact is high on integrity, as financial data can be altered, but confidentiality and availability are not directly affected. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability poses a significant risk to e-commerce platforms relying on this plugin for wallet management, potentially leading to financial loss, reputational damage, and customer trust erosion.

This vulnerability can lead to unauthorized financial manipulation within e-commerce platforms using the Wallet System for WooCommerce plugin. Attackers with minimal privileges can inflate their wallet balances or deflate others', resulting in direct monetary loss and fraudulent transactions. Such exploitation undermines the integrity of digital wallet systems, potentially causing significant financial damage to merchants and customers alike. The trustworthiness of payment and wallet features may be compromised, leading to customer dissatisfaction and legal liabilities. Additionally, if exploited at scale, it could disrupt business operations and require costly incident response and remediation efforts. Since the vulnerability does not affect confidentiality or availability directly, data breaches or service outages are less likely, but the financial integrity impact alone is critical for affected organizations.

Organizations should immediately restrict access to the Wallet System for WooCommerce plugin's wallet management functions to trusted roles only, ideally administrators, until an official patch is released. Implement custom capability checks or filters to enforce strict authorization on the 'change_wallet_fund_request_status_callback' function. Monitor logs for unusual wallet fund request status changes or balance modifications indicative of exploitation attempts. Regularly update the plugin once a security patch addressing this vulnerability is available from the vendor. Employ web application firewalls (WAFs) with rules to detect and block suspicious requests targeting wallet functions. Educate site administrators about the risk and encourage strong authentication practices to reduce the risk of compromised accounts with Subscriber-level access. Consider isolating wallet-related functionalities or using alternative plugins with verified security postures if immediate patching is not feasible.