Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Razorpay for WooCommerce lets unauthorized users change order details
CVE-2025-14294
Summary
The Razorpay for WooCommerce plugin on WordPress has a security flaw that allows anyone to change the email and phone number on any order without permission. This is a risk because attackers could use this to impersonate customers or disrupt business operations. To stay safe, update the plugin to the latest version or consider removing it if you don't need it.
Original title
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and inc...
Original description
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
nvd CVSS3.1
5.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/api.p...
- https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/auth....
- https://plugins.trac.wordpress.org/browser/woo-razorpay/trunk/includes/api/coupo...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/163d42df-148f-431c-891...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026