CVE-2025-68016 identifies a missing authorization vulnerability in the Onepay Sri Lanka onepay Payment Gateway plugin for WooCommerce, specifically affecting versions up to 1.1.2. The vulnerability arises from incorrectly configured access control security levels, allowing remote attackers to perform unauthorized actions on the payment gateway without any authentication or user interaction. This means that an attacker can potentially access or manipulate payment processing functions or sensitive transaction data by sending crafted requests directly to the plugin’s endpoints. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N), making it relatively easy to exploit. The impact is limited to partial confidentiality and integrity loss (C:L/I:L) without affecting availability (A:N). Although no known exploits are currently reported in the wild and no patches have been released, the risk remains significant for e-commerce sites using this plugin, as unauthorized access to payment gateway functions can lead to fraudulent transactions or data leakage. The vulnerability was reserved in December 2025 and published in January 2026, indicating recent discovery. The plugin is primarily used by WooCommerce stores integrating Onepay Sri Lanka payment services, which may be more prevalent in regions with Sri Lankan commerce or diaspora. The CVSS v3.1 vector and score of 6.5 classify this as a medium severity issue, reflecting the ease of exploitation but limited impact scope. The lack of patches necessitates immediate mitigation through access restrictions and monitoring until vendor fixes are available.

For European organizations using the Onepay Sri Lanka Payment Gateway plugin in WooCommerce, this vulnerability poses a risk of unauthorized access to payment processing functions. This could lead to unauthorized transaction manipulation, exposure of sensitive payment data, or fraudulent activities impacting customer trust and financial integrity. While the vulnerability does not affect system availability, the confidentiality and integrity of payment data are at risk, potentially leading to regulatory compliance issues under GDPR if personal data is exposed. The ease of exploitation over the network without authentication increases the threat level for online stores, especially those with high transaction volumes. Financial losses, reputational damage, and legal consequences could result if attackers exploit this flaw. The absence of known exploits in the wild currently reduces immediate risk, but the vulnerability’s presence in a critical e-commerce component warrants proactive defense. European e-commerce businesses relying on WooCommerce and integrating Onepay Sri Lanka services should consider this a significant threat vector.

1. Immediately restrict access to the Onepay Payment Gateway plugin’s administrative and API endpoints using network-level controls such as IP whitelisting or VPN access to trusted personnel only. 2. Implement strict role-based access controls within WooCommerce to limit who can interact with payment gateway settings and operations. 3. Monitor logs and network traffic for unusual or unauthorized requests targeting the payment gateway plugin endpoints. 4. Disable or remove the Onepay Sri Lanka payment gateway plugin if it is not essential to business operations until a patch is available. 5. Engage with the vendor or monitor official channels for security updates and apply patches promptly once released. 6. Conduct regular security audits and penetration testing focusing on e-commerce payment integrations to detect similar access control weaknesses. 7. Educate staff managing WooCommerce stores about the risks of unauthorized access and the importance of timely updates. 8. Consider implementing Web Application Firewalls (WAF) with custom rules to block suspicious requests targeting the vulnerable plugin. These steps go beyond generic advice by focusing on access restriction, monitoring, and operational controls tailored to this specific plugin and vulnerability.