WordPress
CVE-2025-12883
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.
AnalysisAI
Unauthenticated payment bypass in Campay Woocommerce Payment Gateway plugin (versions up to 1.2.2) allows remote attackers to mark orders as successfully completed without actually processing payment, directly resulting in financial loss. The vulnerability stems from insufficient transaction validation in the payment processing workflow, enabling attackers to manipulate order status through the payment gateway interface.
Technical ContextAI
The Campay Woocommerce Payment Gateway plugin integrates third-party payment processing into WordPress e-commerce sites via WooCommerce. The vulnerability (CWE-639: Authorization in Settings) indicates a failure in the plugin's authorization logic, specifically in validating that legitimate payment transactions have occurred before marking orders as paid. Unauthenticated remote attackers can exploit the lack of proper server-side transaction verification to bypass the payment gateway's intended security controls, allowing them to forge successful payment confirmations without authorization checks or prior authentication.
Affected ProductsAI
Campay API (WooCommerce Payment Gateway) plugin for WordPress is affected in all versions up to and including 1.2.3. The plugin is hosted on the WordPress plugin repository at wordpress.org/plugins/campay-api/. Users running version 1.2.2 or earlier are vulnerable; the plugin integrates payment processing into WooCommerce-based online stores.
RemediationAI
Immediately update the Campay Woocommerce Payment Gateway plugin to version 1.2.3 or later, which implements proper transaction validation. Update via WordPress admin dashboard (Plugins > Installed Plugins > Campay API > Update) or download directly from the WordPress plugin repository. Verify the update has been applied by confirming the plugin version in Plugins settings. No workarounds are available for this authentication bypass; patching is the only mitigation. Administrators should also review recent order history for suspicious orders marked as paid without corresponding payment records and investigate potential fraud.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today