CVE-2025-15400

The OpenPix for WooCommerce plugin through version 2.13.3 contains a missing authorization vulnerability in its AJAX handlers. The plugin fails to perform capability checks or include nonce verification on several AJAX actions that reset payment gateway configuration options, such as API credentials and webhook status [1]. This oversight allows any authenticated user, regardless of their role, to trigger these actions.

Exploitation requires only an active user session; even subscribers or customers can send the crafted AJAX requests. No special permissions are needed, and there is no protection against cross-site request forgery (CSRF) due to the missing nonce check. The attacker simply needs to be logged into a WordPress account with any role.

The immediate impact is the disruption of OpenPix payment processing. Once an attacker resets the gateway settings, the store can no longer process payments via OpenPix until an administrator manually re-enters the correct API credentials and re-enables webhooks. This can cause persistent financial loss and operational disruption.

As of the publication date, no patch is available for this vulnerability. The plugin is likely unmaintained. Sites using the OpenPix for WooCommerce plugin should consider disabling it or migrating to an alternative payment gateway to mitigate the risk [1].