{"api_version":"1","generated_at":"2026-04-26T20:01:27+00:00","cve":"CVE-2025-15513","urls":{"html":"https://cve.report/CVE-2025-15513","api":"https://cve.report/api/cve/CVE-2025-15513.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-15513","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-15513"},"summary":{"title":"Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation","description":"The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-01-14 07:16:14","updated_at":"2026-04-08 19:23:45"},"problem_types":["CWE-863","CWE-863 CWE-863 Incorrect Authorization"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444078%40float-gateway&new=3444078%40float-gateway&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444078%40float-gateway&new=3444078%40float-gateway&sfp_email=&sfph_mail=","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477","name":"https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-15513","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-15513","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"floattechnologies","product":"Float Payment Gateway","version":"affected 1.1.9 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-12-15T00:00:00.000Z","lang":"en","value":"Discovered"},{"source":"CNA","time":"2026-01-13T17:33:22.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Md. Moniruzzaman Prodhan","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"15513","cve":"CVE-2025-15513","epss":"0.000890000","percentile":"0.253550000","score_date":"2026-04-13","updated_at":"2026-04-14 00:12:05"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-15513","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-01-14T20:30:19.125983Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-01-14T20:30:29.106Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Float Payment Gateway","vendor":"floattechnologies","versions":[{"lessThanOrEqual":"1.1.9","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Md. Moniruzzaman Prodhan"}],"descriptions":[{"lang":"en","value":"The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed."}],"metrics":[{"cvssV3_1":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:16:31.375Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444078%40float-gateway&new=3444078%40float-gateway&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2025-12-15T00:00:00.000Z","value":"Discovered"},{"lang":"en","time":"2026-01-13T17:33:22.000Z","value":"Disclosed"}],"title":"Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2025-15513","datePublished":"2026-01-14T06:40:07.126Z","dateReserved":"2026-01-12T12:10:48.753Z","dateUpdated":"2026-04-08T17:16:31.375Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-14 07:16:14","lastModifiedDate":"2026-04-08 19:23:45","problem_types":["CWE-863","CWE-863 CWE-863 Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"15513","Ordinal":"1","Title":"Float Payment Gateway <= 1.1.9 - Improper Authorization to Unaut","CVE":"CVE-2025-15513","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"15513","Ordinal":"1","NoteData":"The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed.","Type":"Description","Title":"Float Payment Gateway <= 1.1.9 - Improper Authorization to Unaut"}]}}}