Description
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.
Published: 2026-01-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary wallet balance manipulation
Action: Upgrade Plugin
AI Analysis

Impact

An authenticated user with at least Subscriber role can alter wallet withdrawal requests by calling the ‘change_wallet_fund_request_status_callback’ endpoint without proper capability checks. This flaw permits the attacker to arbitrarily increase their own wallet balance or debit other users, leading to financial abuse.

Affected Systems

Vulnerable versions include all releases of Wallet System for WooCommerce up to and including 2.7.2, which is distributed by wpswings under the nickname ‘Digital Wallet, Buy Now Pay Later, Instant Cashback, Referral program, Partial & Subscription Payments.’ Sites running any of these versions on WordPress are within scope.

Risk and Exploitability

CVSS score 6.5 indicates a moderate severity, while EPSS <1% signals low likelihood of public exploitation at this time. The flaw is not listed in CISA KEV, but any authenticated attacker can exploit it by simply performing a suitable AJAX request after login. Successful exploitation results in unauthorized balance manipulation, potentially inflating the attacker's funds or depleting others, damaging customer trust and financial integrity.

Generated by OpenCVE AI on April 21, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the plugin (e.g., 2.7.3 or later) that includes the missing capability check.
  • If an immediate update is unavailable, restrict usage of the wallet component to administrator‑level users only or temporarily deactivate the feature until a patch is applied.
  • Monitor transaction logs and wallet balances for abnormal activity, and revoke or downgrade compromised user accounts.

Generated by OpenCVE AI on April 21, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpswings
Wpswings wallet System For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpswings
Wpswings wallet System For Woocommerce

Sat, 17 Jan 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.
Title Wallet System for WooCommerce <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
Wpswings Wallet System For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:48.052Z

Reserved: 2025-12-10T14:23:46.780Z

Link: CVE-2025-14450

cve-icon Vulnrichment

Updated: 2026-01-20T18:40:27.357Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T03:16:03.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses