CVE-2025-39362 Overview
CVE-2025-39362 is a Missing Authorization vulnerability [CWE-862] affecting the Mollie Payments for WooCommerce WordPress plugin. The flaw manifests as an Insecure Direct Object Reference (IDOR) and impacts all plugin versions up to and including 8.0.2. Unauthenticated attackers can reach protected functionality over the network without user interaction. The issue exposes integrity and availability of payment-related objects handled by the plugin. Store owners running WooCommerce with Mollie integrations should treat this as a payment-flow risk requiring prompt patching.
Critical Impact
Unauthenticated network attackers can access or manipulate payment objects belonging to other users due to missing authorization checks, affecting transaction integrity in WooCommerce stores.
Affected Products
- Mollie Payments for WooCommerce plugin for WordPress
- All versions from initial release through 8.0.2
- WooCommerce stores integrating Mollie payment processing
Discovery Timeline
- 2025-07-02 - CVE-2025-39362 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-39362
Vulnerability Analysis
The vulnerability is classified under [CWE-862] Missing Authorization and presents as an Insecure Direct Object Reference. The plugin exposes functionality that references internal payment or order objects using identifiers supplied by the requester. The application fails to verify whether the caller owns the referenced object or holds the required capability. An attacker can substitute an identifier belonging to another user and reach protected data or actions. The advisory published by Patchstack confirms the IDOR pattern in versions up to 8.0.1, and the NVD entry extends the affected range through 8.0.2.
Root Cause
The root cause is absent or insufficient authorization enforcement on plugin endpoints that operate on object identifiers. Standard WordPress capability checks such as current_user_can() and nonce validation via check_ajax_referer() are either missing or inadequately applied. Because the plugin trusts the object reference supplied in the request, any authenticated or unauthenticated caller can enumerate identifiers and act on objects they do not own.
Attack Vector
Exploitation occurs remotely over HTTP or HTTPS against the WordPress site hosting the plugin. The attacker crafts a request to the vulnerable plugin endpoint and supplies an object identifier belonging to another customer or order. No privileges and no user interaction are required. The impact is bounded to low integrity and low availability effects on payment-related objects, with no direct confidentiality loss according to the published CVSS vector.
No public proof-of-concept code has been released. Refer to the Patchstack Vulnerability Advisory for technical details.
Detection Methods for CVE-2025-39362
Indicators of Compromise
- Unexpected HTTP requests to Mollie plugin endpoints containing sequential or enumerated order and payment identifiers
- WooCommerce order status changes or payment state transitions that do not correlate with legitimate customer sessions
- Requests to plugin AJAX or REST routes originating from unauthenticated sessions or unusual IP ranges
Detection Strategies
- Review web server access logs for high-volume requests to mollie-payments-for-woocommerce routes with varying order_id or payment identifier parameters
- Correlate WooCommerce order audit logs with authenticated user sessions to detect mismatches
- Deploy a Web Application Firewall (WAF) rule flagging unauthenticated access to plugin endpoints that reference object identifiers
Monitoring Recommendations
- Enable verbose logging on WordPress and WooCommerce, including order lifecycle events
- Monitor the plugin version installed across all WordPress instances and alert on versions at or below 8.0.2
- Track HTTP 200 responses on plugin endpoints paired with 4xx responses on adjacent authenticated routes as a possible IDOR signature
How to Mitigate CVE-2025-39362
Immediate Actions Required
- Update Mollie Payments for WooCommerce to a version above 8.0.2 as soon as the vendor releases a fixed build
- Audit recent WooCommerce orders and Mollie transactions for unauthorized state changes
- Restrict administrative and checkout endpoints behind a WAF with rules blocking anomalous identifier enumeration
Patch Information
The advisory covers versions up to and including 8.0.2. Site administrators should consult the Patchstack Vulnerability Advisory and the official Mollie plugin changelog on the WordPress plugin repository for the fixed release version and apply it through the WordPress admin console or WP-CLI.
Workarounds
- Temporarily disable the Mollie Payments for WooCommerce plugin if patching is not immediately feasible
- Apply virtual patching through a WAF to enforce authorization on the affected plugin endpoints
- Limit access to /wp-admin and WooCommerce REST endpoints to known IP ranges where operationally acceptable
# Configuration example: update plugin via WP-CLI once a fixed version is available
wp plugin update mollie-payments-for-woocommerce
wp plugin list --name=mollie-payments-for-woocommerce --fields=name,version,status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

