The Wallet System for WooCommerce plugin, widely used to provide digital wallet functionalities such as Buy Now Pay Later (BNPL), instant cashback, referral programs, and subscription payments, contains a critical authorization vulnerability identified as CVE-2025-14450. This vulnerability stems from a missing capability check in the 'change_wallet_fund_request_status_callback' function, which handles wallet withdrawal request status changes. Because the plugin fails to verify whether the authenticated user has the appropriate permissions before processing these requests, any user with Subscriber-level access or higher can exploit this flaw. Attackers can arbitrarily modify wallet balances by approving or rejecting withdrawal requests, effectively increasing their own funds or decreasing those of other users. The vulnerability affects all versions up to and including 2.7.2. The CVSS v3.1 score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, and the requirement for low privileges but no user interaction. The flaw impacts data integrity without affecting confidentiality or availability. Although no known exploits are currently reported, the ease of exploitation and the financial nature of the vulnerability make it a significant risk for e-commerce sites relying on this plugin. The vulnerability is particularly concerning for platforms with open user registration or weak user access controls, as attackers can gain Subscriber-level access and exploit the flaw. The lack of patches at the time of reporting necessitates immediate risk mitigation through access control and monitoring.

For European organizations, especially e-commerce businesses using WooCommerce with the Wallet System plugin, this vulnerability poses a direct financial risk. Attackers can manipulate wallet balances, leading to unauthorized fund withdrawals or fraudulent credit increases, which can result in monetary losses and damage to customer trust. The integrity of financial transactions is compromised, potentially affecting accounting and reconciliation processes. This could also lead to regulatory scrutiny under European data protection and financial transaction laws, such as GDPR and PSD2, if customer funds are mishandled or fraud occurs. The vulnerability may also facilitate further attacks if attackers leverage increased wallet balances to make purchases or launder money. Organizations with large user bases or those operating in competitive markets may suffer reputational damage. The medium severity rating suggests a moderate but tangible risk that requires prompt attention to avoid exploitation.

1. Immediately restrict user registration and review user roles to ensure that only trusted users have Subscriber-level or higher access. 2. Implement strict role-based access controls (RBAC) to limit wallet management capabilities to trusted administrators only. 3. Monitor wallet transaction logs and withdrawal requests for unusual patterns or anomalies indicative of exploitation attempts. 4. Apply any vendor patches or updates as soon as they become available to address the missing authorization check. 5. If patches are not yet available, consider temporarily disabling the wallet withdrawal functionality or the entire Wallet System plugin to prevent exploitation. 6. Conduct regular security audits and penetration tests focusing on user privilege escalation and wallet transaction integrity. 7. Educate staff and users about the risks of phishing or credential compromise that could lead to unauthorized access. 8. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting wallet functions. 9. Implement multi-factor authentication (MFA) for user accounts to reduce the risk of account takeover. 10. Maintain comprehensive backups and incident response plans to quickly recover from any exploitation.