CVE-2025-14294

MEDIUM

Razorpay for WooCommerce <=4.7.8 - Auth Bypass

Title source: llm

Description

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/auth.php#L7

Product

https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/coupon-get.php#L58

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436262%40woo-razorpay&new=3436262%40woo-razorpay&sfp_email=&sfph_mail=

Product

https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/api.php#L33

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/163d42df-148f-431c-891e-dbdc09bf2ae1?source=cve

Scores

CVSS v3 5.3

EPSS 0.0035

EPSS Percentile 27.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (1)

razorpay/Razorpay for WooCommerce < 4.7.8

Published Feb 19, 2026

Tracked Since Feb 19, 2026