Primary

Context

PayHere Payment Gateway Plugin for WooCommerce Missing Authorization Vulnerability

Vulnerability

A vulnerability exists in the PayHere Payment Gateway Plugin for WooCommerce, specifically in versions through 2.3.9. The issue arises from improper validation in the 'check_payhere_response' function, allowing unauthenticated attackers to modify order statuses. This vulnerability enables the unauthorized change of pending WooCommerce orders to paid, completed, or on-hold statuses.

Impact

Exploitation of this vulnerability allows for unauthorized modification of WooCommerce order statuses, potentially leading to incorrect order management and fulfillment.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.

Added: Jan 14, 2026, 7:26 AM

Updated: Jan 14, 2026, 7:26 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

7.7

remediation

0.0

relevance

2.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

7.7

remediation

0.0

relevance

2.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PayHere Payment Gateway Plugin for WooCommerce Missing Authorization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating