Description
The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs.
Published: 2025-10-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of orders and transaction IDs in WooCommerce
Action: Immediate Patch
AI Analysis

Impact

The Oceanpayment CreditCard Gateway plugin allows unauthenticated users to invoke the 'return_payment' and 'notice_payment' functions without any authentication or capability checks. This flaw lets an attacker alter the status of WooCommerce orders, setting them to 'failed', and can also change transaction identifiers. The impact is loss of order integrity and potential financial misreporting, as the attacker can manipulate order history and payment data without needing valid credentials.

Affected Systems

oceanpayment:Oceanpayment CreditCard Gateway, all versions up to and including 6.0, deployed on WordPress sites running WooCommerce.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred as unauthenticated HTTP requests to the plugin’s exposed endpoints, as the functions are callable without authentication checks.

Generated by OpenCVE AI on April 21, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oceanpayment CreditCard Gateway plugin to a version newer than 6.0.
  • If an update is not immediately feasible, restrict access to the plugin’s payment handling URLs via firewall rules or IP whitelisting to limit exposure to trusted hosts.
  • Modify the plugin’s 'return_payment' and 'notice_payment' functions to include proper authentication checks such as verifying user roles or WordPress nonces before processing order updates.

Generated by OpenCVE AI on April 21, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs.
Title Oceanpayment CreditCard Gateway <= 6.0 - Missing Authentication to Unauthenticated Order Status Update
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:52.074Z

Reserved: 2025-10-13T22:54:55.316Z

Link: CVE-2025-11728

cve-icon Vulnrichment

Updated: 2025-10-15T13:51:22.851Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T09:15:43.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses