Description
The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status.
Published: 2026-01-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Order Status Modification
Action: Immediate Patch
AI Analysis

Impact

The Aplazo Payment Gateway plugin for WordPress contains a missing capability check in the check_success_response() function, which allows an una user to alter the status of any WooCommerce order to pending payment. This unauthorized modification undermines order integrity and can lead to fraudulent transactions or revenue loss. The weakness is classified as CWE‑862, a lack of authorization.

Affected Systems

The vulnerability affects installations of the Aplazo Payment Gateway WordPress plugin up to and including version 1.4.3. Any site that has not upgraded beyond 1.4.3 is susceptible. No other product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation. The flaw is not currently listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request that triggers the vulnerable function; due to the missing authorization check, an attacker can manipulate order status without authentication.

Generated by OpenCVE AI on April 21, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Aplazo Payment Gateway to the latest version (≥1.4.4) which includes the proper authorization check.
  • Ensure that only users with the appropriate capabilities (e.g., Shop Manager or higher) can invoke order status changes.
  • If a plugin update cannot be applied immediately, remove or restrict the check_success_response endpoint or disable order status modifications for unauthenticated users.

Generated by OpenCVE AI on April 21, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status. The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status.
Title Aplazo Payment Gateway <= 1.4.2 - Missing Authorization to Unauthenticated Order Status Manipulation Aplazo Payment Gateway <= 1.4.3 - Missing Authorization to Unauthenticated Order Status Manipulation
References

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status.
Title Aplazo Payment Gateway <= 1.4.2 - Missing Authorization to Unauthenticated Order Status Manipulation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:31.747Z

Reserved: 2026-01-12T10:05:06.395Z

Link: CVE-2025-15512

cve-icon Vulnrichment

Updated: 2026-01-14T20:51:56.953Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T07:16:14.250

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses