The Xendit Payment plugin for WordPress, used to integrate Xendit's payment gateway with WooCommerce, contains a critical design flaw in its payment callback handling mechanism. Specifically, the plugin exposes a publicly accessible API endpoint named `wc_xendit_callback` that processes payment status updates from Xendit's payment gateway. However, this endpoint does not implement any form of authentication or cryptographic verification to confirm that incoming requests genuinely originate from Xendit's servers. As a result, an unauthenticated attacker can craft POST requests to this endpoint containing a JSON payload with an `external_id` field matching a valid WooCommerce order ID pattern and a `status` field set to 'PAID' or 'SETTLED'. Because WooCommerce order IDs are sequential integers, an attacker can enumerate valid order IDs to target specific orders. Upon receiving such a request, the plugin updates the order status to paid, effectively marking the order as completed without any actual payment transaction. This vulnerability is classified under CWE-862 (Missing Authorization) and affects all plugin versions up to and including 6.0.2. The CVSS v3.1 base score is 5.3 (medium), reflecting the ease of exploitation (no privileges or user interaction required) but limited impact on confidentiality and availability. The primary impact is on integrity, as attackers can manipulate order data to cause financial loss and inventory inaccuracies. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights a critical security oversight in the plugin's design, where trust is implicitly placed on incoming callback requests without validation.

This vulnerability can have significant financial and operational impacts on organizations using the Xendit Payment plugin with WooCommerce. Attackers can fraudulently mark orders as paid, leading to unauthorized order fulfillment and shipment of goods or services without receiving payment. This results in direct financial losses and inventory depletion, potentially disrupting supply chains and customer satisfaction. Additionally, the integrity of order and payment data is compromised, undermining trust in the e-commerce platform. While confidentiality and availability are not directly affected, the fraudulent order manipulation can cause reputational damage and increased operational costs due to chargebacks, refunds, and investigations. Organizations with high transaction volumes or valuable inventory are at greater risk. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated attacks targeting multiple orders rapidly. This threat is particularly critical for businesses relying heavily on WooCommerce and the Xendit Payment plugin in their payment processing workflows.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Immediately restrict access to the `wc_xendit_callback` endpoint by implementing authentication mechanisms such as API keys, HMAC signatures, or IP whitelisting to verify that requests originate from Xendit's trusted servers. 2) Introduce cryptographic verification of callback payloads using shared secrets or digital signatures to ensure data integrity and authenticity. 3) Implement rate limiting and monitoring on the callback endpoint to detect and block suspicious or excessive requests that may indicate enumeration or abuse attempts. 4) Review and update the plugin to the latest version once a patch is released by the vendor addressing this authorization flaw. 5) Audit existing orders for suspicious status changes and reconcile payment records against actual transactions to identify fraudulent orders. 6) Educate development and security teams about the risks of missing authorization on API endpoints and enforce secure coding practices for third-party integrations. 7) If immediate patching is not possible, consider temporarily disabling the Xendit Payment plugin or replacing it with alternative payment solutions that enforce proper authorization controls.