CVE-2025-14461
📋 TL;DR
The Xendit Payment plugin for WordPress has an authentication bypass vulnerability that allows unauthenticated attackers to mark WooCommerce orders as paid without actual payment. This affects all WordPress sites using Xendit Payment plugin versions up to 6.0.2. Attackers can exploit this to cause financial loss and inventory depletion.
💻 Affected Systems
- Xendit Payment plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete inventory depletion and significant financial loss as attackers mark all orders as paid, shipping products without receiving payment.
Likely Case
Targeted fraud where attackers mark specific high-value orders as paid to obtain goods without payment.
If Mitigated
No impact if proper authentication and cryptographic verification are implemented for payment callbacks.
🎯 Exploit Status
Exploitation requires order ID enumeration (sequential integers) and sending crafted POST requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Xendit Payment' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 6.0.3+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Block vulnerable endpoint via web server
allBlock access to the vulnerable callback endpoint using web server configuration.
# For Apache: add to .htaccess
RewriteRule ^wc_xendit_callback$ - [F,L]
# For Nginx: add to server block
location ~* ^/wc_xendit_callback$ { return 403; }
Disable Xendit plugin temporarily
linuxDeactivate the vulnerable plugin until patched.
wp plugin deactivate woo-xendit-virtual-accounts
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block POST requests to /wc_xendit_callback endpoint.
- Monitor and alert on suspicious POST requests to the callback endpoint with order status changes.
🔍 How to Verify
Check if Vulnerable:
Check if plugin version is 6.0.2 or lower in WordPress admin panel or via wp-cli: wp plugin get woo-xendit-virtual-accounts --field=versionCheck Version:
wp plugin get woo-xendit-virtual-accounts --field=versionVerify Fix Applied:
Verify plugin version is 6.0.3 or higher and test that callback endpoint now requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wc_xendit_callback endpoint with 'status':'PAID' or 'SETTLED' in JSON body
- Order status changes from pending to completed without corresponding payment transactions
Network Indicators:
- Unusual POST requests to callback endpoint from non-Xendit IP addresses
- Rapid sequence of order status updates
SIEM Query:
source="web_logs" AND uri_path="/wc_xendit_callback" AND http_method="POST" AND (body LIKE "%PAID%" OR body LIKE "%SETTLED%")🔗 References
- https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/tags/6.0.2/woocommerce-xendit-pg.php#L252
- https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/trunk/woocommerce-xendit-pg.php#L252
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2791bbd5-9101-4484-a352-0e4d2ce04e5d?source=cve
