Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
CVE-2025-14886: Japanized for WooCommerce Plugin Exposes Orders to Unauthorized Changes
CVE-2025-14886
Summary
The Japanized for WooCommerce plugin for WordPress has a security weakness that allows attackers to secretly change any order status without permission. This means that an attacker could mark an order as completed or processed without the merchant's knowledge or consent. To fix this, update the plugin to a version newer than 2.7.17.
Original title
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and i...
Original description
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
Published: 9 Jan 2026 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026