CVE-2025-62754 identifies a critical missing authorization vulnerability in the Kapil Paul Payment Gateway bKash for WooCommerce (WC) plugin, specifically versions up to and including 3.1.0. This vulnerability arises from improperly configured access control mechanisms that fail to verify whether a user or request is authorized to perform certain sensitive operations within the payment gateway. As a result, an unauthenticated attacker can remotely exploit this flaw without any user interaction, bypassing security checks to execute unauthorized actions. The vulnerability impacts confidentiality and integrity, allowing attackers to potentially manipulate payment data, intercept or alter transactions, or gain access to sensitive financial information. The CVSS v3.1 base score of 9.1 reflects the ease of exploitation (network vector, no privileges required, no user interaction) combined with the high impact on confidentiality and integrity. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to e-commerce platforms relying on this plugin for processing bKash payments. The lack of available patches at the time of publication increases the urgency for organizations to apply mitigations or monitor closely for suspicious activity. The vulnerability is particularly relevant to WooCommerce installations that integrate the bKash payment gateway, a popular payment method in South Asia but also used by diaspora and international merchants, including those operating in Europe.

For European organizations, the exploitation of this vulnerability could lead to severe financial losses through fraudulent transactions, unauthorized fund transfers, or theft of payment data. The compromise of payment gateway integrity undermines customer trust and can result in regulatory penalties under GDPR due to exposure of personal and financial data. E-commerce businesses using WooCommerce with the affected bKash plugin risk disruption of payment services, reputational damage, and potential legal liabilities. Given the critical nature of the vulnerability and the network-level exploitability without authentication, attackers could automate attacks at scale, affecting multiple merchants simultaneously. The impact extends beyond direct financial harm to include operational downtime and increased costs for incident response and remediation. Organizations with cross-border transactions involving bKash payments are particularly exposed, as attackers might exploit the gateway to intercept or manipulate international payments.

1. Immediately audit all WooCommerce installations for the presence of the Kapil Paul Payment Gateway bKash plugin and identify versions at or below 3.1.0. 2. If an official patch is released, apply it without delay. 3. Until patches are available, implement strict network-level access controls to restrict access to the payment gateway endpoints only to trusted IP addresses or internal networks. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the payment gateway. 5. Monitor logs for unusual or unauthorized API calls or payment transactions indicative of exploitation attempts. 6. Enforce multi-factor authentication and role-based access controls on administrative interfaces related to payment processing. 7. Educate staff and customers about potential phishing or social engineering attacks that could be combined with this vulnerability. 8. Consider temporarily disabling the bKash payment option if risk tolerance is low and no immediate patch is available. 9. Coordinate with payment gateway vendors and WooCommerce support channels for updates and advisories.