Piraeus Bank WooCommerce Payment Gateway Missing Authorization Vulnerability Allowing Unauthenticated Order Status Changes

A vulnerability exists in the Piraeus Bank WooCommerce Payment Gateway plugin for WordPress, affecting all versions up to and including 3.1.4. The issue arises from a lack of authorization checks on the payment callback endpoint that handles 'fail' notifications from the payment gateway. This flaw enables unauthenticated attackers to manipulate order statuses through the publicly accessible WooCommerce API by simply providing the order ID, which can be easily guessed as they are sequential. Exploiting this vulnerability could lead to orders being incorrectly marked as 'failed', causing disruptions such as canceled shipments, inventory discrepancies, and revenue loss.

Impact

Exploitation of this vulnerability allows for unauthorized changes to order statuses, specifically marking orders as 'failed'. This can disrupt business operations by causing canceled shipments, inventory management issues, and financial losses.

Reproduction

To reproduce this vulnerability, send a request to the WooCommerce API payment callback endpoint for the Piraeus Bank gateway. Include the 'MerchantReference' parameter with an order ID that you wish to modify. The request can be made without authentication, and the order ID can be any valid, sequentially numbered ID.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.