Security Alert Summary
The Wallet System for WooCommerce plugin contains a missing capability check in the change_wallet_fund_request_status_callback function. This allows authenticated users with Subscriber-level access and above to manipulate wallet withdrawal requests, potentially increasing their own wallet balance or decreasing the balances of other users.
CVE Details
- CVE ID: CVE-2025-14450
- Affected plugin / component: Wallet System for WooCommerce plugin for WordPress
- Affected versions: All versions up to, and including, 2.7.2
- Published: January 17, 2026 at 03:16:03 AM (UTC)
- Last modified: January 17, 2026 at 03:16:03 AM (UTC)
- CVSS v3.1: Base Score 6.5 — MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Authentication / privileges / user interaction: Requires an authenticated user; description indicates attackers with Subscriber-level access and above. CVSS fields: Privileges Required = LOW, User Interaction = NONE.
- Primary impact: Confidentiality: NONE; Integrity: HIGH; Availability: NONE
- CWE / weakness: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is caused by a missing capability check on the change_wallet_fund_request_status_callback function. Because the plugin does not properly verify that the acting user has the required capability before processing wallet withdrawal status changes, authenticated users with low-level privileges (Subscriber and above, per the description) can invoke the callback to alter withdrawal requests.
Practically, the missing authorization check allows manipulation of wallet withdrawal request handling logic so an attacker can cause their own wallet balance to be increased or other users’ balances to be decreased. The description and linked code references identify the specific function where the check is absent.
How This Could Impact Your Website
In a typical site with multiple WordPress accounts, an attacker who has or can obtain a Subscriber account (for example, a low-privilege contributor, a compromised account, or a contractor with an account) could use this flaw to adjust wallet withdrawal statuses. This can result in improper credits to the attacker’s wallet balance or debits to other users’ wallets, producing financial discrepancies, user complaints, and reconciliation work for the site owner and staff.
For example, a site owner may receive reports from customers about missing funds while internal staff spend time investigating ledger inconsistencies. An external contractor or contributor with a Subscriber-level account could exploit the missing check to benefit financially. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (No fixed version is specified in the CVE entry.)
- Review and reduce unnecessary user roles and accounts, especially ensuring only trusted users have contributor-level access or higher.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site activity and wallet transaction logs for unusual or unauthorized changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140
- https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve