CVE-2025-14460: CWE-862 Missing Authorization in enartia Piraeus Bank WooCommerce Payment Gateway
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue.
AI Analysis
Technical Summary
CVE-2025-14460 is a missing authorization vulnerability (CWE-862) in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress, affecting all versions up to 3.1.4. The issue arises because the payment callback endpoint handler does not verify authorization when processing the 'fail' callback from the payment gateway. This allows unauthenticated attackers to change any order's status to 'failed' by submitting the order ID (MerchantReference parameter) via the publicly accessible WooCommerce API endpoint. Since order IDs are sequential integers, they can be easily enumerated, enabling widespread unauthorized order status modifications.
Potential Impact
The vulnerability enables unauthenticated attackers to arbitrarily set order statuses to 'failed', which can lead to significant business disruptions including canceled shipments, inventory inconsistencies, and potential revenue loss. There is no impact on confidentiality or availability reported, but the integrity of order processing is compromised.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to the payment callback endpoint or implementing custom authorization checks to prevent unauthorized status changes. Monitor for updates from the vendor enartia regarding patches or official mitigations.
CVE-2025-14460: CWE-862 Missing Authorization in enartia Piraeus Bank WooCommerce Payment Gateway
Description
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14460 is a missing authorization vulnerability (CWE-862) in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress, affecting all versions up to 3.1.4. The issue arises because the payment callback endpoint handler does not verify authorization when processing the 'fail' callback from the payment gateway. This allows unauthenticated attackers to change any order's status to 'failed' by submitting the order ID (MerchantReference parameter) via the publicly accessible WooCommerce API endpoint. Since order IDs are sequential integers, they can be easily enumerated, enabling widespread unauthorized order status modifications.
Potential Impact
The vulnerability enables unauthenticated attackers to arbitrarily set order statuses to 'failed', which can lead to significant business disruptions including canceled shipments, inventory inconsistencies, and potential revenue loss. There is no impact on confidentiality or availability reported, but the integrity of order processing is compromised.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to the payment callback endpoint or implementing custom authorization checks to prevent unauthorized status changes. Monitor for updates from the vendor enartia regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-10T15:56:31.158Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e4c147349d0379d7d5801
Added to database: 1/7/2026, 12:05:40 PM
Last enriched: 4/9/2026, 9:50:48 AM
Last updated: 5/8/2026, 9:37:17 PM
Views: 166
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.