We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Xendit Payment Plugin Vulnerability (CVE-2025-14461)

Nick Paliughi
On this page

Security Alert Summary

The Xendit Payment plugin for WordPress (WooCommerce integration) contains an unauthenticated order status manipulation vulnerability. A publicly accessible callback endpoint accepts payment callbacks without authentication or cryptographic verification, allowing an attacker who can identify order IDs to submit crafted requests that mark orders as paid. This can lead to orders being fulfilled without actual payment, causing financial loss and inventory depletion.

CVE Details

  • CVE ID: CVE-2025-14461
  • Affected plugin / component: Xendit Payment plugin for WordPress (WooCommerce integration)
  • Affected versions: All versions up to, and including, 6.0.2
  • Published: February 4, 2026 at 9:15:49 AM (UTC)
  • Last modified: February 4, 2026 at 4:33:44 PM (UTC)
  • CVSS v3.1: Base Score 5.3, Severity: MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    • Attack Vector: NETWORK
    • Attack Complexity: LOW
    • Privileges Required: NONE
    • User Interaction: NONE
    • Scope: UNCHANGED
    • Confidentiality Impact: NONE
    • Integrity Impact: LOW
    • Availability Impact: NONE
  • Authentication / Privileges / User Interaction: No authentication required; no privileges required; no user interaction required (per CVSS data)
  • Primary impact: Integrity (unauthenticated modification of order status leading to fraudulent paid status)
  • CWE / Weakness ID: CWE-862

Technical Details

The plugin exposes a publicly accessible WooCommerce API callback endpoint named wc_xendit_callback. This endpoint processes incoming payment callback POST requests without any authentication checks or cryptographic verification that requests originate from Xendit’s payment gateway. The endpoint accepts a JSON payload and looks for fields such as external_id and status. If a request contains an external_id matching the order ID pattern and a status value of "PAID" or "SETTLED", the plugin will mark the corresponding WooCommerce order as paid.

The vulnerability exists because the callback handler does not validate the sender (no shared secret, signature, or other verification) and the WordPress/WooCommerce order identifiers are enumeratable (sequential integers), enabling unauthenticated attackers to craft requests targeting specific orders. The CVE entry states versions up to and including 6.0.2 are vulnerable. The CVE does not specify a fixed or patched version in the entry.

How This Could Impact Your Website

In a realistic scenario, an external attacker could send crafted POST requests to the public callback URL to mark orders as paid. For example:

  • The site owner or store manager believes an order was paid and instructs fulfillment or shipping staff to process the order.
  • An internal staff member (warehouse or logistics) ships goods based on the paid status recorded in WooCommerce.
  • An external contractor or dropshipper fulfills the order, resulting in inventory reduction and financial loss for the merchant when no payment was actually received.

The immediate practical consequences include fraudulent orders being completed, loss of inventory, and direct financial loss due to shipments sent without payment. The CVSS data indicates confidentiality and availability impacts are not expected; the primary risk is integrity of order state. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and privileges, especially for contributors and shop managers.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and keep all components up to date.
  • Monitor site and order activity logs for unusual behavior, such as unexpected order status changes or rapid enumeration attempts against order endpoints.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: All push notification for WP plugin Vulnerability (CVE-2026-0816)
Next Post
WordPress Security Bulletin: WebPurify Profanity Filter Plugin Vulnerability (CVE-2026-0572)