CVE-2025-14978
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) <= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
| CWE | CWE-862 |
| Vendor | peachpay |
| Product | peachpay — payments & express checkout for woocommerce (supports stripe, paypal, square, authorize.net, nmi) |
| Published | Jan 20, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for peachpay peachpay — payments & express checkout for woocommerce (supports stripe, paypal, square, authorize.net, nmi)
Be the first to know when new medium vulnerabilities affecting peachpay peachpay — payments & express checkout for woocommerce (supports stripe, paypal, square, authorize.net, nmi) are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
peachpay / PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI)
0 ≤ 1.119.8
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33
Credits
Md. Moniruzzaman Prodhan