Description
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
Published: 2026-01-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Order Status Modification
Action: Patch Immediately
AI Analysis

Impact

The vulnerability stems from missing capability checks on the ConvesioPay webhook REST endpoint in the PeachPay — Payments & Express Checkout for WooCommerce plugin up to version 1.119.8. Because the endpoint validates no user permissions, an unauthenticated attacker can send a crafted webhook payload and alter the status of any WooCommerce order. This violates the principle of least authority (CWE‑862) and compromises order integrity, potentially enabling fraudulent order cancellations, refunds, or shipping approvals.

Affected Systems

The affected product is PeachPay — Payments & Express Checkout for WooCommerce, a WordPress plugin that supports Stripe, PayPal, Square, Authorize.net, and NMI. Versions 1.119.8 and earlier are vulnerable; all later releases should contain a fix.

Risk and Exploitability

The CVSS score of 5.3 indicates medium risk, while the EPSS score of less than 1 % suggests a low likelihood of current exploitation. However, the vulnerability is not listed in CISA KEV, meaning no documented active exploitation is known. An attacker can exploit the flaw by sending an unauthenticated HTTP request to the webhook endpoint; no additional credentials or privileged access are required. Because an attacker can modify any order, the impact on confidentiality is low, but integrity and potentially financial loss are significant.

Generated by OpenCVE AI on April 21, 2026 at 23:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PeachPay to the latest version available, which includes the fix for the missing capability checks on the ConvesioPay webhook endpoint.
  • If an immediate update is not possible, block the webhook endpoint from unauthenticated traffic—e.g., place a basic‑auth layer or firewall rule that allows requests only from the trusted server that sends the webhook.
  • Re‑issue and rotate any ConvesioPay webhook credentials so that only the newly authenticated credentials can reach the endpoint.

Generated by OpenCVE AI on April 21, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Peachpay
Peachpay peachpay - Payments & Express Checkout For Woocommerce (supports Stripe, Paypal, Square, Authorizenet)
Wordpress
Wordpress wordpress
Vendors & Products Peachpay
Peachpay peachpay - Payments & Express Checkout For Woocommerce (supports Stripe, Paypal, Square, Authorizenet)
Wordpress
Wordpress wordpress

Tue, 20 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
Title PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) <= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Peachpay Peachpay - Payments & Express Checkout For Woocommerce (supports Stripe, Paypal, Square, Authorizenet)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:21.706Z

Reserved: 2025-12-19T16:06:55.163Z

Link: CVE-2025-14978

cve-icon Vulnrichment

Updated: 2026-01-20T20:54:10.416Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T02:15:45.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses