CVE-2025-14461: CWE-862 Missing Authorization in tpixendit Xendit Payment
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion.
AI Analysis
Technical Summary
CVE-2025-14461 describes a missing authorization vulnerability (CWE-862) in the Xendit Payment plugin for WordPress. The plugin's WooCommerce API callback endpoint `wc_xendit_callback` accepts payment status updates without authentication or cryptographic verification. This allows unauthenticated attackers to send POST requests with JSON bodies containing an `external_id` matching sequential order IDs and a `status` of 'PAID' or 'SETTLED'. As a result, attackers can fraudulently mark orders as paid, bypassing legitimate payment processing.
Potential Impact
Exploitation of this vulnerability enables attackers to mark WooCommerce orders as paid without actual payment, leading to potential financial loss for merchants and depletion of inventory. There is no impact on confidentiality or availability reported. The CVSS score of 5.3 reflects a medium severity with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or vendor advisory is provided in the available data. Users should monitor the vendor's official channels for updates and consider implementing additional access controls or network restrictions on the callback endpoint to prevent unauthorized access until a fix is released.
CVE-2025-14461: CWE-862 Missing Authorization in tpixendit Xendit Payment
Description
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14461 describes a missing authorization vulnerability (CWE-862) in the Xendit Payment plugin for WordPress. The plugin's WooCommerce API callback endpoint `wc_xendit_callback` accepts payment status updates without authentication or cryptographic verification. This allows unauthenticated attackers to send POST requests with JSON bodies containing an `external_id` matching sequential order IDs and a `status` of 'PAID' or 'SETTLED'. As a result, attackers can fraudulently mark orders as paid, bypassing legitimate payment processing.
Potential Impact
Exploitation of this vulnerability enables attackers to mark WooCommerce orders as paid without actual payment, leading to potential financial loss for merchants and depletion of inventory. There is no impact on confidentiality or availability reported. The CVSS score of 5.3 reflects a medium severity with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or vendor advisory is provided in the available data. Users should monitor the vendor's official channels for updates and consider implementing additional access controls or network restrictions on the callback endpoint to prevent unauthorized access until a fix is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-10T15:58:16.899Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69830729f9fa50a62f79eb57
Added to database: 2/4/2026, 8:45:29 AM
Last enriched: 4/9/2026, 9:16:34 PM
Last updated: 5/8/2026, 1:51:45 PM
Views: 133
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.