Attack Vectors

Razorpay for WooCommerce (slug: woo-razorpay) versions 4.7.8 and earlier have a Medium-severity issue (CVE-2025-14294, CVSS 5.3) that can be exploited over the internet without a user account.

An unauthenticated attacker who can know or guess a WooCommerce order ID could send requests that target a vulnerable plugin function and modify billing and shipping contact details on that order—specifically the email address and phone number.

Because the vulnerability does not require user interaction and does not require login privileges, it is most concerning for businesses that rely on WooCommerce order records for customer communications, fulfillment workflows, fraud checks, and compliance documentation.

Security Weakness

The root issue is a missing capability (permission) check on the plugin’s getCouponList() functionality in versions up to and including 4.7.8. The associated permission callback, checkAuthCredentials(), always returns true, meaning it provides no real authentication.

This weakness creates an authorization gap: the site treats the request as permitted even when it originates from an unauthenticated source, allowing unauthorized changes to certain order fields when an order ID is supplied.

Remediation is straightforward: update Razorpay for WooCommerce to version 4.7.9 or newer, which is reported as patched.

Technical or Business Impacts

While this vulnerability is not described as enabling data theft, it can still create meaningful business risk through unauthorized order record tampering. Altered customer email addresses and phone numbers can disrupt legitimate customer communications (order confirmations, shipping notifications, support outreach) and impair the accuracy of your customer journey reporting.

Operationally, incorrect contact details can lead to missed deliveries, delayed fulfillment, higher support volume, and increased chargeback or dispute risk if customers do not receive expected updates or if verification steps rely on the modified contact data.

From a leadership and compliance perspective, manipulated order records can weaken auditability and process integrity. If customer contact information is part of your internal controls (for example, fraud screening, proof of notification, or regulated communications), unauthorized changes can complicate investigations and increase the time and cost of incident response.

Similar Attacks: Unauthenticated or authorization-bypass issues in WordPress plugins are a common theme. For context, see examples such as CVE-2024-27956 (WordPress plugin security issue) and CVE-2023-27372 (WordPress plugin vulnerability).

For this specific issue, reference details for CVE-2025-14294 and the vendor-facing write-up from Wordfence. Updating to Razorpay for WooCommerce 4.7.9+ is the primary risk-reduction step.