CVE-2025-14450 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Wallet System for WooCommerce plugin, which provides digital wallet and payment functionalities including Buy Now Pay Later (BNPL), instant cashback, referral programs, partial and subscription payments. The vulnerability arises from the absence of a capability check in the 'change_wallet_fund_request_status_callback' function, allowing authenticated users with Subscriber-level privileges or higher to modify wallet withdrawal requests without proper authorization. This flaw enables attackers to arbitrarily increase their own wallet balances or decrease those of other users by manipulating withdrawal request statuses. The vulnerability affects all versions up to and including 2.7.2. The CVSS 3.1 base score is 6.5 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (low-level authenticated user), no user interaction, and impacting integrity but not confidentiality or availability. No patches are currently linked, and no exploits are known in the wild. The vulnerability compromises the integrity of wallet balances, potentially leading to financial losses and fraud within affected e-commerce platforms. Given the plugin's integration with WooCommerce on WordPress, a widely used e-commerce platform, the vulnerability poses a significant risk to online merchants using this plugin for wallet and payment management.

For European organizations, this vulnerability could lead to unauthorized financial manipulation within their e-commerce platforms, resulting in direct monetary losses, customer trust erosion, and potential regulatory scrutiny under data protection and financial transaction laws. The integrity compromise of wallet balances can facilitate fraud, abuse of BNPL schemes, and disruption of cashback or referral programs, impacting revenue and customer satisfaction. Organizations relying on this plugin for critical payment workflows may face operational disruptions and reputational damage. The risk is heightened for businesses with large user bases or those handling significant transaction volumes. Additionally, financial fraud resulting from this vulnerability could trigger investigations by European financial regulators and data protection authorities, especially under GDPR if customer data or transaction records are involved. The medium severity indicates a serious but not immediately critical threat, emphasizing the need for timely mitigation to avoid exploitation.

1. Immediately restrict user roles and permissions to minimize Subscriber-level users or any non-trusted users who can authenticate to the WordPress site. 2. Monitor wallet transaction logs and withdrawal requests for unusual activity patterns, such as sudden balance increases or decreases. 3. Implement custom capability checks or access controls on the 'change_wallet_fund_request_status_callback' function if patching is not yet available. 4. Keep the Wallet System for WooCommerce plugin updated and apply security patches promptly once released by the vendor. 5. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious requests targeting wallet fund modifications. 6. Conduct regular security audits and penetration testing focused on e-commerce payment workflows. 7. Educate administrators and users about the risks of privilege escalation and enforce strong authentication mechanisms to reduce risk of compromised accounts. 8. Backup wallet and transaction data regularly to enable recovery in case of fraudulent modifications.