Vulnerabilities and security researches forwoo-razorpay woo-razorpay

Jun 07, 2024

CVE, Research URL: b3b5a9ab191aa9218a81975fdc32d16d3db57aa9
Home page URL: Security reports for Razorpay for WooCommerce
Application: Razorpay for WooCommerce
Date: Nov 28, 2023
Research Description: Razorpay for WooCommerce [woo-razorpay] < 4.5.7 Razorpay for WooCommerce <= 4.5.6 - Missing Authorization The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification due to a missing capability check on several functions hooked via admin_post in all versions up to, and including, 4.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update, direct, create, and reverse transfers through the plugin.
Affected versions: max 4.5.7.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2025-14294
Home page URL: Security reports for Razorpay for WooCommerce
Application: Razorpay for WooCommerce
Date: Feb 19, 2026
Research Description: The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
Affected versions: max 4.7.9.
Status: vulnerable