CVE-2025-59559

Vulnerability

Overview

The Payrexx Payment Gateway for WooCommerce plugin (woo-payrexx-gateway) versions up to and including 3.1.5 contain a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, meaning certain functions or endpoints lack proper capability checks or nonce verification. As a result, unauthenticated users can trigger actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the affected plugin endpoints without any authentication. No special network position is required; the attack can be performed remotely. The reference notes that vulnerabilities of this type are often used in mass-exploit campaigns, targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation could allow an attacker to perform unauthorized actions, such as modifying payment gateway settings or accessing sensitive configuration data. This could lead to financial loss, site compromise, or further attacks. However, the advisory rates this as a low-severity issue and states it is unlikely to be exploited in practice [1].

Mitigation

The vulnerability is fixed in version 3.1.6 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is provided, so updating is the only recommended course of action [1].