cleantalk
Vulnerabilities and Security Researches

Razorpay for WooCommerce, CVE-2025-14294

CVE, Research URL

CVE-2025-14294

Home page URL

Security reports for Razorpay for WooCommerce

Application

Razorpay for WooCommerce

Published on
Feb 19, 2026
Research Description
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
Affected versions
max 4.7.9.
Status
vulnerable
Previous vulnerability researches
Remove Duplicate Posts (1f5faa66dc6d492718ce5db9c3895b5840416340) , Jun 07, 2024
Remove Duplicate Posts (CVE-2023-29237) , Jun 10, 2024
New vulnerability
WP Wizard Cloak (CVE-2025-53237) , Feb 27, 2026
YITH WooCommerce Compare (CVE-2026-22333) , Feb 27, 2026
Kenta Companion (CVE-2026-27090) , Feb 27, 2026
WP-Lister Lite for eBay (CVE-2026-25384) , Feb 27, 2026
Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint (CVE-2026-23541) , Feb 27, 2026