FKIE_CVE-2025-15400

Vulnerability from fkie_nvd - Published: 2026-02-11 06:15 - Updated: 2026-06-17 08:37
Summary
The OpenPix for WooCommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.
Impacted products
Vendor Product Version

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unknown",
          "product": "OpenPix for WooCommerce",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThanOrEqual": "2.13.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "source": "contact@wpscan.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The OpenPix for WooCommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality."
    },
    {
      "lang": "es",
      "value": "El plugin de WordPress Pix para Woocommerce hasta la versi\u00f3n 2.13.3 permite a cualquier usuario autenticado activar acciones AJAX que restablecen las opciones de configuraci\u00f3n de la pasarela de pago sin comprobaciones de capacidad o nonce. Esto permite a cualquier usuario autenticado, como los suscriptores, borrar las credenciales de la API y el estado del webhook, causando una interrupci\u00f3n persistente de la funcionalidad de pago de OpenPix."
    }
  ],
  "id": "CVE-2025-15400",
  "lastModified": "2026-06-17T08:37:41.863",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-15400",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-02-11T15:59:26.939727Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-02-11T06:15:47.870",
  "references": [
    {
      "source": "contact@wpscan.com",
      "url": "https://wpscan.com/vulnerability/54c1251f-96be-4d70-b773-3db26b599838/"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…