Description
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.
Published: 2026-01-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass
Action: Update Plugin
AI Analysis

Impact

A missing capability check in the handle_webhook() function of the Rupantorpay WordPress plugin allows an unauthenticated attacker to send crafted requests to the WooCommerce order status API endpoint and alter order statuses, such as cancelling, completing, or refunding orders, without any authorization.

Affected Systems

The vulnerability affects all releases of the Rupantorpay plugin through version 2.0.0, inclusive. Users who have installed any of these affected versions are potentially exposed.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw from any network by forging HTTP requests to the WooCommerce order status API endpoint, making the attack vector reachable but currently unlikely to be widely targeted.

Generated by OpenCVE AI on April 22, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Rupantorpay plugin to the latest available version that includes the missing capability check fix.
  • If an update is not yet available, restrict access to the WooCommerce order status API endpoint so that only authenticated, authorized users can modify order statuses, or disable the endpoint that allows status changes entirely.
  • Enable detailed logging of all order status updates and monitor logs for unexpected changes to detect and respond to unauthorized activity.

Generated by OpenCVE AI on April 22, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
Description The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.
Title Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:11.949Z

Reserved: 2026-01-12T09:39:53.146Z

Link: CVE-2025-15511

cve-icon Vulnrichment

Updated: 2026-01-28T15:56:36.576Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T12:15:50.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses