CVE-2025-15475
📋 TL;DR
This vulnerability allows unauthenticated attackers to manipulate WooCommerce order statuses through the PayHere Payment Gateway plugin. Attackers can change pending orders to paid, completed, or on-hold statuses without payment. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- PayHere Payment Gateway Plugin for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could mark fraudulent orders as paid, causing merchants to ship products without receiving payment, leading to significant financial losses and inventory depletion.
Likely Case
Attackers exploit the vulnerability to obtain products without payment by manipulating order statuses, resulting in direct revenue loss for merchants.
If Mitigated
With proper monitoring and order verification processes, fraudulent orders can be caught before fulfillment, limiting financial impact.
🎯 Exploit Status
The vulnerability is in a publicly accessible function with improper validation, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.4.0/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find PayHere Payment Gateway. 4. Click 'Update Now' if available. 5. If not, download version 2.4.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable PayHere Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate payhere-payment-gateway
Restrict Access to PayHere Endpoint
linuxBlock access to the vulnerable check_payhere_response function via web server configuration
# Add to .htaccess for Apache:
RewriteRule ^wc-api/payhere_gateway - [F,L]
# Add to nginx config:
location ~ ^/wc-api/payhere_gateway { deny all; }
🧯 If You Can't Patch
- Implement manual order verification process requiring manager approval before shipping
- Enable WooCommerce fraud detection plugins and configure alerts for order status changes
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If PayHere Payment Gateway version is 2.3.9 or lower, you are vulnerable.Check Version:
wp plugin get payhere-payment-gateway --field=versionVerify Fix Applied:
Verify PayHere Payment Gateway plugin version is 2.4.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple order status changes from pending to completed/paid without corresponding payment transactions
- Unusual API calls to /wc-api/payhere_gateway endpoint
Network Indicators:
- HTTP POST requests to /wc-api/payhere_gateway with manipulated order parameters
SIEM Query:
source="wordpress.log" AND "payhere_gateway" AND ("status":"completed" OR "status":"paid") AND NOT "payment_method":"payhere"