CVE-2025-64638 identifies a missing authorization vulnerability in the OnPay.io for WooCommerce plugin, versions up to and including 1.0.47. The vulnerability stems from incorrectly configured access control security levels, which allow remote attackers to bypass authorization checks. This means that an unauthenticated attacker can access certain resources or data that should be restricted, potentially exposing sensitive information related to payment processing or customer data. The vulnerability is exploitable over the network without requiring any privileges or user interaction, increasing its accessibility to attackers. However, the impact is limited to confidentiality as there is no indication of integrity or availability compromise. The CVSS v3.1 score is 5.3 (medium severity), reflecting the ease of exploitation but limited impact scope. No public exploits have been reported yet, and no patches are currently linked, indicating that vendors or users must remain vigilant for forthcoming updates. The vulnerability affects the OnPay.io payment integration plugin for WooCommerce, a widely used e-commerce platform on WordPress, which is popular among European online retailers. The flaw could allow attackers to gather sensitive information that might be leveraged for further attacks or fraud. Given the nature of the vulnerability, it is critical for organizations to review their WooCommerce plugin configurations and monitor for vendor patches.

For European organizations, this vulnerability poses a risk primarily to confidentiality, potentially exposing sensitive payment or customer data handled via the OnPay.io WooCommerce plugin. While it does not directly affect data integrity or system availability, unauthorized data access can lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. E-commerce businesses relying on WooCommerce with OnPay.io integration are at risk of data leakage, which could facilitate fraud or phishing attacks. The lack of authentication and user interaction requirements means attackers can exploit this vulnerability remotely and at scale, increasing the threat surface. Organizations in Europe with significant online retail operations could face increased scrutiny from regulators if such data exposures occur. The medium severity rating suggests a moderate but non-critical threat, yet the potential for cascading effects through exposed data should not be underestimated.

Organizations should immediately audit their WooCommerce installations to identify if OnPay.io for WooCommerce plugin versions up to 1.0.47 are in use. Until a patch is released, restrict access to the plugin’s administrative and API endpoints via network-level controls such as firewalls or web application firewalls (WAFs). Implement strict role-based access controls within WordPress to limit who can interact with the plugin’s features. Monitor logs for unusual access patterns or unauthorized requests targeting OnPay.io endpoints. Engage with OnPay.io vendor channels to track patch releases and apply updates promptly once available. Additionally, conduct regular security assessments of e-commerce platforms and ensure compliance with GDPR data protection requirements. Consider isolating payment processing components and encrypting sensitive data at rest and in transit to reduce exposure. Finally, educate staff on the risks of unauthorized data access and maintain incident response plans tailored to e-commerce environments.