CVE-2025-14978
📋 TL;DR
The PeachPay WooCommerce plugin has a missing capability check on its ConvesioPay webhook endpoint, allowing unauthenticated attackers to modify WooCommerce order statuses. This affects all WordPress sites using PeachPay plugin versions up to 1.119.8. Attackers can mark orders as completed, refunded, or other statuses without payment verification.
💻 Affected Systems
- PeachPay — Payments & Express Checkout for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could mark unpaid orders as completed, allowing customers to receive products without payment, or mark legitimate orders as refunded/cancelled, causing financial loss and customer service issues.
Likely Case
Attackers modify order statuses to disrupt business operations, cause confusion in fulfillment, or enable limited fraud by marking unpaid orders as completed.
If Mitigated
With proper webhook validation and authentication, only legitimate payment processors can update order statuses, maintaining business integrity.
🎯 Exploit Status
Simple HTTP POST requests to the vulnerable endpoint can modify order statuses without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.119.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find PeachPay plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable ConvesioPay payment method
allTemporarily disable ConvesioPay payment option in PeachPay settings until patched.
Web Application Firewall rule
linuxBlock access to the vulnerable webhook endpoint via WAF or .htaccess.
# Add to .htaccess
RewriteEngine On
RewriteRule ^wp-json/peachpay/v1/convesiopay/webhook - [F,L]
🧯 If You Can't Patch
- Monitor WooCommerce order status changes for suspicious patterns
- Implement additional order verification steps before fulfillment
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for PeachPay version. If version is 1.119.8 or lower, you are vulnerable.Check Version:
wp plugin list --name=peachpay --field=versionVerify Fix Applied:
After updating, verify PeachPay plugin version shows 1.119.9 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/peachpay/v1/convesiopay/webhook
- Rapid order status changes without corresponding payment events
Network Indicators:
- HTTP POST requests to webhook endpoint from non-payment processor IPs
SIEM Query:
source="web_server" AND uri="/wp-json/peachpay/v1/convesiopay/webhook" AND method="POST" AND NOT src_ip IN [payment_processor_ips]