Description
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Order Modification
Action: Patch Now
AI Analysis

Impact

The exposed getCouponList() function in Razorpay for WooCommerce enables an attacker to modify the billing and shipping contact information of any order without authentication. Because the permission callback always returns true, the plugin accepts unauthenticated requests, allowing any user who can guess or enumerate an order ID to tamper with that order’s details.

Affected Systems

The vulnerability is present in all versions of the Razorpay for WooCommerce WordPress plugin up to and including 4.7.8. System administrators running these versions should verify the installed version and perform an upgrade or apply a patch.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the current EPSS score of less than 1% signals a low exploitation probability. The flaw is not listed in the CISA KEV catalog, so it is likely not a widely exploited public exploit. Nevertheless, an attacker can still abuse the lack of authentication to alter order information, potentially leading to fraud or customer data compromise. As the weakness stems from missing authentication checks, it can be bounded by proper access control on the getCouponList() endpoint.

Generated by OpenCVE AI on April 22, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Razorpay for WooCommerce to the latest available version (greater than 4.7.8) to ensure proper authentication checks are in place for the getCouponList() function.
  • If an upgrade is not possible immediately, configure the web application firewall or server to block unauthenticated requests to the coupon endpoint, or disable the endpoint entirely.
  • Monitor server logs for attempts to access the coupon endpoint with guessed order IDs and investigate any anomalies.

Generated by OpenCVE AI on April 22, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Razorpay
Razorpay razorpay For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Razorpay
Razorpay razorpay For Woocommerce
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
Title Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Razorpay Razorpay For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:06.887Z

Reserved: 2025-12-08T20:16:17.740Z

Link: CVE-2025-14294

cve-icon Vulnrichment

Updated: 2026-02-19T17:23:02.748Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:34.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:00:08Z

Weaknesses