High severity7.5NVD Advisory· Published Aug 15, 2025· Updated Apr 15, 2026

CVE-2025-6025

Description

The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the data-tip attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/order-tip-woo/trunk/assets/build/front.bundle.jsnvd
plugins.trac.wordpress.org/browser/order-tip-woo/trunk/frontend/views/tip-form.phpnvd
plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/9bcd18bd-032e-4a97-83aa-a377f9b1f435nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000