CVE-2025-6025 HIGH

CVE-2025-6025: Order Tip for WooCommerce <= 1.5.4 - Unauthenticated Tip Manipulation to Negative Value Leading to Unauthorized Discounts

Vendor Railmedia
Product Order Tip for WooCommerce
Weakness CWE-602 · Client-side enforcement
Published August 15, 2025
Last update April 8, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.

Explanation of Vulnerability in Simple Terms

02Summary

Order Tip for WooCommerce versions up to 1.5.4 contain a flaw that allows attackers to modify data without authentication. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 1.5.4 to prevent unauthorized data manipulation.

What an attacker can do

03Attacker Capabilities

Modify or corrupt order tip data without logging in.

Potential impact on your site

04Site Impact

Attackers can alter tip amounts, order records, or related data without authorization.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

August 15, 2025 CVE published
April 8, 2026 Record updated