Description
The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.
Published: 2025-08-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Discount
Action: Patch Plugin
AI Analysis

Impact

The Order Tip for WooCommerce plugin is vulnerable to unhauthenticated improper input validation that allows attackers to set an excessive or negative tip amount on the checkout form. Because no server‑side check exists on the data-tip attribute, the plugin applies the value directly to the order total, leading to an unauthorized discount that can even bring the order cost to zero or a refund. This flaw directly compromises the financial integrity of transactions on affected sites.

Affected Systems

The vulnerability applies to any WordPress site running the railmedia Order Tip for WooCommerce plugin version 1.5.4 or earlier. It affects all installations that expose the tip form during checkout and have not applied a patch that implements proper validation.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity, while the EPSS score of < 1 % suggests a low probability of exploitation at present. The issue is not listed in the CISA KEV catalog, indicating no confirmed exploitation. The likely attack path is through a crafted frontend request to the checkout endpoint, where an unauthenticated user can submit a negative tip value and receive an unauthorized discount.

Generated by OpenCVE AI on April 21, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Order Tip for WooCommerce plugin to the latest available version that includes the server‑side tip validation fix.
  • If an update cannot be applied immediately, temporarily disable the tip feature by removing the tip field from the checkout page or deactivating the plugin until the patch is available.
  • Continuously review order logs for abnormal negative tip amounts and enforce audit trails for any suspicious transactions.

Generated by OpenCVE AI on April 21, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24962 The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.
History

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.
Title Order Tip for WooCommerce <= 1.5.4 - Unauthenticated Tip Manipulation to Negative Value Leading to Unauthorized Discounts
Weaknesses CWE-602
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:19.595Z

Reserved: 2025-06-12T12:07:16.620Z

Link: CVE-2025-6025

cve-icon Vulnrichment

Updated: 2025-08-15T12:43:53.085Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T03:15:36.227

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses