Description
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue.
Published: 2026-01-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Order Status Change
Action: Patch
AI Analysis

Impact

The Piraeus Bank WooCommerce Payment Gateway plugin is vulnerable because it omits Authorization checks in the payment callback handler when processing a 'fail' callback. This omission permits unauthenticated users to set any order’s status to 'failed' by submitting only the sequentially–enumerated order ID (MerchantReference). The result is unauthorized order status modification, which can trigger invoice cancellation, shipment cancellation, inventory inconsistencies, and revenue loss. The flaw is a classic Missing Authorization (CWE‑862) weakness.

Affected Systems

The vulnerability affects the enartia Piraeus Bank WooCommerce Payment Gateway plugin for WordPress, in all releases up to and including version 3.1.4. WordPress sites that have installed these versions of the plugin are susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity for an unauthorized modification that impacts business availability. The EPSS score of less than 1 % signals a low probability of real‑world exploitation. The issue is not listed in CISA’s KEV catalog, further suggesting limited exploitation activity. Attackers can exploit the publicly reachable WooCommerce API endpoint with no credentials and can easily enumerate order IDs due to their sequential nature, enabling mass‑status changes and operational disruption.

Generated by OpenCVE AI on April 20, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update (3.1.5 or newer) that restores proper authorization checks for the payment callback endpoint.
  • If an update is not immediately available, restrict the payment callback endpoint to authenticated users or implement a whitelist of IP addresses that can invoke the endpoint.
  • Set up monitoring or logging of WooCommerce order status changes, and configure alerts for unexpected state transitions to detect unauthorized activity early.

Generated by OpenCVE AI on April 20, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Enartia
Enartia piraeus Bank Woocommerce Payment Gateway
Wordpress
Wordpress wordpress
Vendors & Products Enartia
Enartia piraeus Bank Woocommerce Payment Gateway
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue.
Title Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Enartia Piraeus Bank Woocommerce Payment Gateway
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:39.127Z

Reserved: 2025-12-10T15:56:31.158Z

Link: CVE-2025-14460

cve-icon Vulnrichment

Updated: 2026-01-07T14:49:37.801Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:54.903

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses