Description
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion.
Published: 2026-02-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized order status update leading to false payment confirmation
Action: Patch Immediately
AI Analysis

Impact

The Xendit Payment WordPress plugin exposes an unauthenticated WooCommerce API callback that accepts payment notifications without verifying the origin. An attacker can send a crafted POST request with a JSON payload specifying an order identifier and a status of 'PAID' or 'SETTLED'. If the attacker can determine sequential numeric order IDs, they can mark any order as paid without any actual transaction, allowing fraudulent order fulfillment and inventory loss.

Affected Systems

The vulnerability affects the Xendit Payment plugin from the vendor identified as tpixendit (Xendit Payment). All plugin versions up to and including 6.0.2 are impacted. The issue surfaces when the plugin is installed on a WordPress site running WooCommerce and the public callback endpoint is reachable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity impact on confidentiality, integrity, and availability of financial data. The EPSS score of less than 1% suggests low exploitation probability, and the vulnerability is not currently listed in CISA KEV. Nevertheless, because the attack requires no authentication and the endpoint is publicly reachable, a remote attacker who can enumerate order IDs can exploit it, leading to financial loss for the merchant. The attack vector is likely remote over HTTP(S) to the standard WooCommerce endpoint, with the prerequisite of knowing or guessing sequential order IDs.

Generated by OpenCVE AI on April 22, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xendit Payment plugin to version 6.0.3 or later, which removes the unauthenticated callback endpoint and adds origin verification.
  • If an upgrade is not immediately possible, limit access to the callback URL by blocking all IPs except trusted services (e.g., Xendit’s IP ranges) using firewall or WordPress security plugins.
  • Implement application‑level checks to verify that incoming payment callbacks originate from Xendit, such as validating a shared secret, signature header, or token included in the request body before processing.

Generated by OpenCVE AI on April 22, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion.
Title Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:56.770Z

Reserved: 2025-12-10T15:58:16.899Z

Link: CVE-2025-14461

cve-icon Vulnrichment

Updated: 2026-02-04T15:19:35.743Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T09:15:49.513

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:45:20Z

Weaknesses