Description
The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.
Published: 2026-01-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated order status modification
Action: Apply Patch
AI Analysis

Impact

The PayHere Payment Gateway plugin for WooCommerce allows an unauthenticated attacker to alter the status of pending orders, changing them to paid, completed or on‑hold. This flaw originates from insecure validation logic in the check_payhere_response function. The resulting impact is an integrity breach that enables an attacker to prematurely mark orders as paid, potentially bypassing payment processing and causing financial loss or fraud.

Affected Systems

This vulnerability affects the PayHere Payment Gateway Plugin for WooCommerce, specifically versions 2.3.9 and earlier. Owners of WordPress sites running any version up to 2.3.9 that utilize this plugin are potentially exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% signals a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to the plugin’s payment response handler, though the exact method is not detailed in the description. This flaw exposes the order data integrity but does not grant arbitrary command execution or data exfiltration.

Generated by OpenCVE AI on April 20, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PayHere Payment Gateway Plugin to the latest released version (>= 2.4.0 or later).
  • If an upgrade is not immediately feasible, restrict external access to the PayHere response endpoint so that only authenticated administrators can trigger status changes, for example by adding firewall rules or using .htaccess restrictions.
  • As a temporary measure, manually update order statuses to the correct state via the WooCommerce admin panel or adjust the database directly after confirming legitimate payments.

Generated by OpenCVE AI on April 20, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Payhere
Payhere payment Gateway Plugin For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Payhere
Payhere payment Gateway Plugin For Woocommerce
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.
Title PayHere Payment Gateway Plugin for WooCommerce <= 2.3.9 - Missing Authorization to Unauthenticated Order Status Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Payhere Payment Gateway Plugin For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:47.481Z

Reserved: 2026-01-07T10:41:20.920Z

Link: CVE-2025-15475

cve-icon Vulnrichment

Updated: 2026-01-14T16:54:25.400Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T07:16:14.063

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses