CVE-2025-15511 MEDIUM

CVE-2025-15511: Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification

Vendor Rupantorpay

Product Rupantorpay

Weakness CWE-862 · Missing authorization

Published January 28, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.

Explanation of Vulnerability in Simple Terms

02Summary

Rupantorpay versions 2.0.0 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify data on the system. The vulnerability requires only network access and no user interaction. An attacker can alter information without needing valid credentials or victim involvement.

What an attacker can do

03Attacker Capabilities

Modify data on the system without authentication.

Potential impact on your site

04Site Impact

Unauthorized users can alter payment or transaction data if Rupantorpay is integrated with your site.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 28, 2026 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-15511 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities