Search criteria

2 vulnerabilities by payhere

CVE-2025-15475 (GCVE-0-2025-15475)

Vulnerability from cvelistv5 – Published: 2026-01-14 06:40 – Updated: 2026-01-14 06:40
VLAI?
Title
PayHere Payment Gateway Plugin for WooCommerce <= 2.3.9 - Missing Authorization to Unauthenticated Order Status Modification
Summary
The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
payhere PayHere Payment Gateway Plugin for WooCommerce Affected: * , ≤ 2.3.9 (semver)
Create a notification for this product.
Credits
Md. Moniruzzaman Prodhan
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PayHere Payment Gateway Plugin for WooCommerce",
          "vendor": "payhere",
          "versions": [
            {
              "lessThanOrEqual": "2.3.9",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Md. Moniruzzaman Prodhan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T06:40:08.795Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-14T00:00:00.000+00:00",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2026-01-13T17:29:40.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "PayHere Payment Gateway Plugin for WooCommerce \u003c= 2.3.9 - Missing Authorization to Unauthenticated Order Status Modification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-15475",
    "datePublished": "2026-01-14T06:40:08.795Z",
    "dateReserved": "2026-01-07T10:41:20.920Z",
    "dateUpdated": "2026-01-14T06:40:08.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-6064 (GCVE-0-2023-6064)

Vulnerability from cvelistv5 – Published: 2024-01-01 14:18 – Updated: 2026-01-09 21:01
VLAI?
Title
PayHere Payment Gateway < 2.2.12 - Unauthenticated Log Data Disclosure
Summary
The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
Assigner
References
https://wpscan.com/vulnerability/423c8881-628b-43… exploitvdb-entrytechnical-description
Impacted products
Vendor Product Version
Unknown PayHere Payment Gateway Affected: 0 , < 2.2.12 (semver)
Create a notification for this product.
Credits
Supun Halangoda WPScan
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:21:17.273Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "exploit",
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/423c8881-628b-4380-9677-65b3f5165efe"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-6064",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-13T14:44:00.133867Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-09T21:01:02.959Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "product": "PayHere Payment Gateway",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "2.2.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Supun Halangoda"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "WPScan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-200 Information Exposure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-01T14:18:52.756Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "exploit",
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://wpscan.com/vulnerability/423c8881-628b-4380-9677-65b3f5165efe"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "PayHere Payment Gateway \u003c 2.2.12 - Unauthenticated Log Data Disclosure",
      "x_generator": {
        "engine": "WPScan CVE Generator"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2023-6064",
    "datePublished": "2024-01-01T14:18:52.756Z",
    "dateReserved": "2023-11-09T19:37:57.339Z",
    "dateUpdated": "2026-01-09T21:01:02.959Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}