The PayHere Payment Gateway Plugin for WooCommerce suffers from a missing authorization vulnerability (CWE-862) in its check_payhere_response function, present in all versions up to 2.3.9. This function is responsible for validating payment responses from the PayHere gateway. Due to improper validation logic, unauthenticated attackers can manipulate the plugin to alter the status of pending WooCommerce orders to paid, completed, or on hold without any authentication or user interaction. This flaw arises because the plugin fails to verify that the incoming payment response is legitimate and authorized before updating order statuses. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, making it accessible to any attacker aware of the plugin's presence. Although no public exploits have been reported yet, the impact includes unauthorized order completion, potential financial loss, and disruption of order processing workflows. The CVSS v3.1 base score is 5.3, indicating medium severity with no confidentiality or availability impact but integrity compromised due to unauthorized order status changes. The vulnerability is particularly critical for e-commerce sites relying on PayHere for payment processing, as it undermines the trustworthiness of transaction records and could facilitate fraud or chargeback issues. No official patches or updates are currently linked, so mitigation relies on monitoring and restricting access until a fix is released.

For European organizations, this vulnerability can lead to unauthorized manipulation of e-commerce transactions, resulting in financial losses, inventory mismanagement, and reputational damage. Attackers could fraudulently mark orders as paid without actual payment, causing fulfillment of unpaid goods or services. This undermines the integrity of order processing and payment reconciliation, potentially increasing chargebacks and disputes. Organizations operating in sectors with high online sales volumes, such as retail and digital services, face elevated risks. Additionally, regulatory compliance concerns arise if transaction records are tampered with, impacting audit trails and financial reporting. The ease of exploitation and lack of authentication requirements increase the likelihood of attacks, especially against small and medium enterprises that may not have robust monitoring or security controls. The vulnerability could also be leveraged as part of larger fraud schemes or combined with other attacks targeting e-commerce infrastructure. Overall, the threat compromises the integrity of payment processing systems, which is critical for maintaining customer trust and operational continuity in European markets.

1. Immediately monitor WooCommerce order status changes for unusual patterns, such as sudden status updates from pending to paid without corresponding payment confirmation. 2. Restrict access to the PayHere plugin endpoints by implementing web application firewall (WAF) rules to block unauthorized requests targeting the check_payhere_response function. 3. Limit exposure by restricting IP addresses allowed to communicate with the payment gateway callback URL to only trusted PayHere IP ranges if available. 4. Disable or temporarily deactivate the PayHere Payment Gateway plugin if feasible until an official patch is released. 5. Implement additional server-side validation to verify payment authenticity before updating order statuses, such as cross-checking with PayHere’s official API or payment logs. 6. Keep WooCommerce and all plugins up to date and subscribe to vendor security advisories for timely patch releases. 7. Educate staff to review and verify suspicious orders manually, especially those marked paid without clear payment evidence. 8. Consider deploying anomaly detection tools that flag irregular e-commerce transactions or status changes. 9. Conduct regular security audits and penetration tests focusing on payment processing workflows. 10. Prepare incident response plans to quickly address potential exploitation and mitigate financial impact.