CVE-2025-15400 is a missing authorization vulnerability (CWE-862) affecting the OpenPix for WooCommerce WordPress plugin through version 2.13.3. The plugin exposes AJAX endpoints that allow authenticated users to reset critical payment gateway configuration options, including API credentials and webhook statuses, without performing capability checks or verifying nonces. This lack of authorization controls means that even low-privileged users such as subscribers can trigger these AJAX actions. The vulnerability arises because the plugin fails to enforce proper permission checks before executing sensitive configuration resets. As a result, an attacker who can log in to the WordPress site with any authenticated role can disrupt the OpenPix payment functionality by clearing API keys and webhook statuses, causing persistent denial of service to payment processing. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting its medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. No known public exploits have been reported yet. The vulnerability highlights the importance of enforcing strict authorization and nonce validation on AJAX actions that modify critical e-commerce configurations.

The primary impact of CVE-2025-15400 is on the integrity and availability of payment processing within affected WooCommerce stores using the OpenPix plugin. Attackers with any authenticated user account can reset API credentials and webhook statuses, effectively disabling the OpenPix payment gateway. This disruption can lead to loss of revenue, customer trust, and operational downtime for online merchants relying on OpenPix for payment processing. Since the vulnerability does not expose confidential data, the confidentiality impact is minimal. However, the ease of exploitation by low-privileged users and the persistent nature of the disruption elevate the risk. Organizations with many user accounts or that allow subscriber registrations are particularly vulnerable to exploitation. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is publicly known.

1. Immediately restrict user roles that can authenticate on the WordPress site to trusted personnel only, minimizing the number of accounts that could exploit this vulnerability. 2. Monitor and audit user accounts and login activity to detect suspicious behavior from low-privileged users. 3. Disable or restrict AJAX endpoints related to OpenPix payment configuration via custom code or security plugins until an official patch is released. 4. Implement Web Application Firewall (WAF) rules to block unauthorized AJAX requests targeting OpenPix configuration actions. 5. Once available, promptly apply official patches or updates from the OpenPix plugin developers that enforce proper authorization and nonce checks. 6. Review and harden WordPress user role permissions to ensure subscribers or other low-privileged roles cannot access sensitive plugin functions. 7. Consider temporarily disabling the OpenPix payment gateway if disruption risk outweighs operational needs until the vulnerability is remediated. 8. Educate site administrators about the risks of granting unnecessary user privileges and the importance of plugin updates.