Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-39362

CVE-2025-39362: Mollie WooCommerce Auth Bypass Flaw

CVE-2025-39362 is a missing authorization vulnerability in Mollie Payments for WooCommerce plugin affecting versions up to 8.0.2. This flaw allows unauthorized access bypass. Learn about technical details, impact, and mitigation.

Published:

CVE-2025-39362 Overview

CVE-2025-39362 is a Missing Authorization vulnerability [CWE-862] affecting the Mollie Payments for WooCommerce WordPress plugin. The flaw manifests as an Insecure Direct Object Reference (IDOR) and impacts all plugin versions up to and including 8.0.2. Unauthenticated attackers can reach protected functionality over the network without user interaction. The issue exposes integrity and availability of payment-related objects handled by the plugin. Store owners running WooCommerce with Mollie integrations should treat this as a payment-flow risk requiring prompt patching.

Critical Impact

Unauthenticated network attackers can access or manipulate payment objects belonging to other users due to missing authorization checks, affecting transaction integrity in WooCommerce stores.

Affected Products

  • Mollie Payments for WooCommerce plugin for WordPress
  • All versions from initial release through 8.0.2
  • WooCommerce stores integrating Mollie payment processing

Discovery Timeline

  • 2025-07-02 - CVE-2025-39362 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-39362

Vulnerability Analysis

The vulnerability is classified under [CWE-862] Missing Authorization and presents as an Insecure Direct Object Reference. The plugin exposes functionality that references internal payment or order objects using identifiers supplied by the requester. The application fails to verify whether the caller owns the referenced object or holds the required capability. An attacker can substitute an identifier belonging to another user and reach protected data or actions. The advisory published by Patchstack confirms the IDOR pattern in versions up to 8.0.1, and the NVD entry extends the affected range through 8.0.2.

Root Cause

The root cause is absent or insufficient authorization enforcement on plugin endpoints that operate on object identifiers. Standard WordPress capability checks such as current_user_can() and nonce validation via check_ajax_referer() are either missing or inadequately applied. Because the plugin trusts the object reference supplied in the request, any authenticated or unauthenticated caller can enumerate identifiers and act on objects they do not own.

Attack Vector

Exploitation occurs remotely over HTTP or HTTPS against the WordPress site hosting the plugin. The attacker crafts a request to the vulnerable plugin endpoint and supplies an object identifier belonging to another customer or order. No privileges and no user interaction are required. The impact is bounded to low integrity and low availability effects on payment-related objects, with no direct confidentiality loss according to the published CVSS vector.

No public proof-of-concept code has been released. Refer to the Patchstack Vulnerability Advisory for technical details.

Detection Methods for CVE-2025-39362

Indicators of Compromise

  • Unexpected HTTP requests to Mollie plugin endpoints containing sequential or enumerated order and payment identifiers
  • WooCommerce order status changes or payment state transitions that do not correlate with legitimate customer sessions
  • Requests to plugin AJAX or REST routes originating from unauthenticated sessions or unusual IP ranges

Detection Strategies

  • Review web server access logs for high-volume requests to mollie-payments-for-woocommerce routes with varying order_id or payment identifier parameters
  • Correlate WooCommerce order audit logs with authenticated user sessions to detect mismatches
  • Deploy a Web Application Firewall (WAF) rule flagging unauthenticated access to plugin endpoints that reference object identifiers

Monitoring Recommendations

  • Enable verbose logging on WordPress and WooCommerce, including order lifecycle events
  • Monitor the plugin version installed across all WordPress instances and alert on versions at or below 8.0.2
  • Track HTTP 200 responses on plugin endpoints paired with 4xx responses on adjacent authenticated routes as a possible IDOR signature

How to Mitigate CVE-2025-39362

Immediate Actions Required

  • Update Mollie Payments for WooCommerce to a version above 8.0.2 as soon as the vendor releases a fixed build
  • Audit recent WooCommerce orders and Mollie transactions for unauthorized state changes
  • Restrict administrative and checkout endpoints behind a WAF with rules blocking anomalous identifier enumeration

Patch Information

The advisory covers versions up to and including 8.0.2. Site administrators should consult the Patchstack Vulnerability Advisory and the official Mollie plugin changelog on the WordPress plugin repository for the fixed release version and apply it through the WordPress admin console or WP-CLI.

Workarounds

  • Temporarily disable the Mollie Payments for WooCommerce plugin if patching is not immediately feasible
  • Apply virtual patching through a WAF to enforce authorization on the affected plugin endpoints
  • Limit access to /wp-admin and WooCommerce REST endpoints to known IP ranges where operationally acceptable
bash
# Configuration example: update plugin via WP-CLI once a fixed version is available
wp plugin update mollie-payments-for-woocommerce
wp plugin list --name=mollie-payments-for-woocommerce --fields=name,version,status

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.