Oceanpayment CreditCard Gateway

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs.

Basic Information

ID CVE-2025-11728

Source Wordfence

Published Oct 15, 2025 at 08:26

Affected Product

Vendor oceanpayment

Product Oceanpayment CreditCard Gateway

Version *

Affected Versions oceanpayment Oceanpayment CreditCard Gateway *

CWE Classification

CWE-306

References

{
    "lastseen": "",
    "description": "The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs.",
    "published": "2025-10-15T08:26:03.227Z",
    "modified": "2025-10-15T08:26:03.227Z",
    "type": "cve",
    "title": "Oceanpayment CreditCard Gateway <= 6.0 - Missing Authentication to Unauthenticated Order Status Update",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c560bc33-d664-433e-bfd9-e4fa1776bb76?source=cve\nhttps://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L594\nhttps://plugins.trac.wordpress.org/browser/oceanpayment-creditcard-gateway/trunk/class-wc-oceancreditcard.php#L489",
    "id": "CVE-2025-11728",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "oceanpayment Oceanpayment CreditCard Gateway *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Oceanpayment CreditCard Gateway",
    "version": "*",
    "vendor": "oceanpayment",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Oceanpayment CreditCard Gateway <= 6.0 - Missing Authentication to Unauthenticated Order Status Update_CVE-2025-11728