CVE-2025-14294 – The Razorpay for WooCommerce WordPress plugin h... (How to Fix)

Q: What is the severity of CVE-2025-14294?

CVE-2025-14294 has a CVSS score of 5.3 (MEDIUM). The Razorpay for WooCommerce WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to modify billing and shipping contact information (email and phone) of any WooCommerce order. This affects all WordPress sites using the plugin up to version 4.7.8. Attackers only need to know or guess a valid order ID to exploit this vulnerability.

📋 TL;DR

The Razorpay for WooCommerce WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to modify billing and shipping contact information (email and phone) of any WooCommerce order. This affects all WordPress sites using the plugin up to version 4.7.8. Attackers only need to know or guess a valid order ID to exploit this vulnerability.

💻 Affected Systems

Products:

Razorpay for WooCommerce WordPress plugin

Versions: All versions up to and including 4.7.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version, regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect order confirmations and shipping notifications to their own email/phone, enabling order hijacking, payment diversion, or customer data theft.

🟠

Likely Case

Attackers modify order contact information to redirect order confirmations or shipping notifications, potentially enabling social engineering or order interference.

🟢

If Mitigated

With proper monitoring, unauthorized modifications would be detected in logs, allowing for investigation and order correction.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable endpoint with a valid order ID. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.9

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436262%40woo-razorpay&new=3436262%40woo-razorpay&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Razorpay for WooCommerce'. 4. Click 'Update Now' if available, or download version 4.7.9+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable API endpoint

all

Block access to the vulnerable getCouponList() function via web server configuration or firewall rules.

# For Apache: add to .htaccess
RewriteRule ^wp-content/plugins/woo-razorpay/includes/api/coupon-get\.php$ - [F,L]
# For Nginx: add to server block
location ~* /wp-content/plugins/woo-razorpay/includes/api/coupon-get\.php$ { deny all; }

🧯 If You Can't Patch

Disable the Razorpay for WooCommerce plugin entirely until patched.
Implement web application firewall rules to block requests to the vulnerable endpoint patterns.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Razorpay for WooCommerce' version. If version is 4.7.8 or lower, you are vulnerable.

Check Version:

# From WordPress root directory
grep -r "Version:" wp-content/plugins/woo-razorpay/razorpay-woocommerce.php | head -1

Verify Fix Applied:

After updating, verify plugin version shows 4.7.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-content/plugins/woo-razorpay/includes/api/coupon-get.php without authentication
Multiple failed order ID guessing attempts in access logs
Unexpected modifications to WooCommerce order contact information

Network Indicators:

HTTP requests to coupon-get.php endpoint from unauthenticated sources
Pattern of order ID enumeration attempts

SIEM Query:

source="web_access_logs" AND uri="/wp-content/plugins/woo-razorpay/includes/api/coupon-get.php" AND NOT user_agent="WordPress/*"

📊 Metadata

CVE ID: CVE-2025-14294

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-306

Published: February 19, 2026

Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14294, you might also want to check these: