What the vulnerability does
01Description
The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.
Explanation of Vulnerability in Simple Terms
02Summary
Order Tip for WooCommerce versions up to 1.5.4 contain a flaw that allows attackers to modify data without authentication. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 1.5.4 to prevent unauthorized data manipulation.
What an attacker can do
03Attacker Capabilities
Modify or corrupt order tip data without logging in.
Potential impact on your site
04Site Impact
Attackers can alter tip amounts, order records, or related data without authorization.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
August 15, 2025
CVE published
April 8, 2026
Record updated