{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T01:29:08.146","vulnerabilities":[{"cve":{"id":"CVE-2025-14460","sourceIdentifier":"security@wordfence.com","published":"2026-01-07T12:16:54.903","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue."},{"lang":"es","value":"El plugin de pasarela de pago WooCommerce de Piraeus Bank para WordPress es vulnerable a la modificación no autorizada del estado de los pedidos en todas las versiones hasta la 3.1.4, inclusive. Esto se debe a la falta de comprobaciones de autorización en el manejador del endpoint de devolución de llamada de pago al procesar la devolución de llamada 'fail' de la pasarela de pago. Esto hace posible que atacantes no autenticados cambien el estado de cualquier pedido a 'failed' a través del endpoint de la API de WooCommerce de acceso público, proporcionando solo el ID del pedido (parámetro MerchantReference), que puede ser fácilmente enumerado ya que los IDs de los pedidos son enteros secuenciales. Esto puede causar una interrupción significativa del negocio, incluyendo envíos cancelados, problemas de inventario y pérdida de ingresos."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/changeset/3439515/","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve","source":"security@wordfence.com"}]}}]}