Description
The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.25. This makes it possible for unauthenticated attackers to opt in and out of tracking.
Published: 2025-11-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Patch Immediately
AI Analysis

Impact

The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress suffers from a missing capability check in the 'handle_optin_optout' function, allowing unauthenticated users to toggle tracking opt‑in status. This flaw enables attackers to alter plugin configuration data without permission, exposing sensitive user tracking preferences. The weakness is classified as CWE-862, representing a lack of proper access control.

Affected Systems

All WordPress sites that have installed the Tripleatechnology Cryptocurrency Payment Gateway for WooCommerce plugin, version 2.0.25 or earlier, are affected. Sites running the plugin on any WooCommerce installation up to the stated version are vulnerable until an update is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The flaw is not listed in the CISA KEV catalog. The likely attack vector is via the publicly accessible plugin endpoint that handles opt‑in/out requests, meaning an attacker can exploit this issue without authentication or an existing WordPress session.

Generated by OpenCVE AI on April 22, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest available version, which removes the missing capability check.
  • If immediate update is not possible, limit access to the opt‑in/out endpoint by restricting it to users with administrative privileges, for example through role‑based access control settings or server‑level access rules.
  • Enable logging for plugin configuration changes and review logs regularly for unauthorized opt‑in/out activity.

Generated by OpenCVE AI on April 22, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking. The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.25. This makes it possible for unauthenticated attackers to opt in and out of tracking.
Title Cryptocurrency Payment Gateway for WooCommerce <= 2.0.22 - Missing Authorization to Unauthenticated Tracking Status Update Cryptocurrency Payment Gateway for WooCommerce <= 2.0.25 - Missing Authorization to Unauthenticated Tracking Status Update
References

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tripleatechnology
Tripleatechnology cryptocurrency Payment Gateway For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Tripleatechnology
Tripleatechnology cryptocurrency Payment Gateway For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking.
Title Cryptocurrency Payment Gateway for WooCommerce <= 2.0.22 - Missing Authorization to Unauthenticated Tracking Status Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Tripleatechnology Cryptocurrency Payment Gateway For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:19.397Z

Reserved: 2025-10-28T13:28:46.120Z

Link: CVE-2025-12392

cve-icon Vulnrichment

Updated: 2025-11-18T21:09:25.637Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T10:15:47.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses