VYPR
Medium severity5.3NVD Advisory· Published Jan 17, 2026· Updated Apr 15, 2026

CVE-2025-14078

CVE-2025-14078

Description

The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the /wp-json/paygent/v1/check/ endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.