cleantalk
Vulnerabilities and Security Researches

Order Tip for WooCommerce, CVE-2025-6025

CVE, Research URL

CVE-2025-6025

Home page URL

Security reports for Order Tip for WooCommerce

Application

Order Tip for WooCommerce

Published on
Aug 15, 2025
Research Description
The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.
Affected versions
Min -, max 1.5.5.
Status
vulnerable
Previous vulnerability researches
FundEngine – Donation and Crowdfunding Platform (CVE-2022-0788) , Jun 07, 2024
FundEngine – Donation and Crowdfunding Platform (CVE-2024-34758) , Jun 07, 2024
FundEngine – Donation and Crowdfunding Platform (CVE-2025-48302) , Aug 12, 2025
FundEngine – Donation and Crowdfunding Platform (CVE-2024-6698) , Aug 02, 2024
FundEngine – Donation and Crowdfunding Platform (CVE-2025-47459) , May 09, 2025
New vulnerability
Linux Promotional Plugin (CVE-2025-7668) , Aug 17, 2025
Poll Maker – Best WordPress Poll Plugin (CVE-2024-12575) , Aug 17, 2025
Add User Meta (CVE-2025-7688) , Aug 17, 2025
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor (CVE-2025-8896) , Aug 17, 2025
RSS Feed Pro (CVE-2025-53581) , Aug 17, 2025