CVE-2025-12883

MEDIUM
2025-12-12 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 17:22 vuln.today
CVE Published
Dec 12, 2025 - 04:15 nvd
MEDIUM 5.3

Tags

Authentication Bypass WordPress

Description

The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.

Analysis

Unauthenticated payment bypass in Campay Woocommerce Payment Gateway plugin (versions up to 1.2.2) allows remote attackers to mark orders as successfully completed without actually processing payment, directly resulting in financial loss. The vulnerability stems from insufficient transaction validation in the payment processing workflow, enabling attackers to manipulate order status through the payment gateway interface.

Technical Context

The Campay Woocommerce Payment Gateway plugin integrates third-party payment processing into WordPress e-commerce sites via WooCommerce. The vulnerability (CWE-639: Authorization in Settings) indicates a failure in the plugin's authorization logic, specifically in validating that legitimate payment transactions have occurred before marking orders as paid. Unauthenticated remote attackers can exploit the lack of proper server-side transaction verification to bypass the payment gateway's intended security controls, allowing them to forge successful payment confirmations without authorization checks or prior authentication.

Affected Products

Campay API (WooCommerce Payment Gateway) plugin for WordPress is affected in all versions up to and including 1.2.3. The plugin is hosted on the WordPress plugin repository at wordpress.org/plugins/campay-api/. Users running version 1.2.2 or earlier are vulnerable; the plugin integrates payment processing into WooCommerce-based online stores.

Remediation

Immediately update the Campay Woocommerce Payment Gateway plugin to version 1.2.3 or later, which implements proper transaction validation. Update via WordPress admin dashboard (Plugins > Installed Plugins > Campay API > Update) or download directly from the WordPress plugin repository. Verify the update has been applied by confirming the plugin version in Plugins settings. No workarounds are available for this authentication bypass; patching is the only mitigation. Administrators should also review recent order history for suspicious orders marked as paid without corresponding payment records and investigate potential fraud.

Priority Score

26
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +26
POC: 0

Share

CVE-2025-12883 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy