The Netcash WooCommerce Payment Gateway plugin for WordPress contains a missing capability check in the handle_return_url function for all releases up to and including 4.1.3. This flaw permits unauthenticated attackers to trigger the return URL endpoint and set any WooCommerce order status to processing or completed, effectively advancing orders without valid authorization. The vulnerability meets the criteria for CWE‑862, indicating a missing privileged access check that results in unauthorized modifications of application state.

Sites that have installed Netcash WooCommerce Payment Gateway version 4.1.3 or earlier are vulnerable. The issue applies to the WordPress plugin as shipped in those releases, meaning any WooCommerce installation that relies on that plugin for payment processing is at risk.

The CVSS score of 5.3 classifies this as moderate risk, while the EPSS score of <1% indicates a very low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the handle_return_url function can be called via the payment gateway's callback, allowing an unauthenticated requester to manipulate the order status without needing credentials. The absence of a proper capability check means the attacker can control the status change directly, potentially enabling fraudulent order fulfillment or masking unauthorized activity.