CVE-2025-9463: 
WordPress vulnerability analysis and mitigation

The CVE-2025-9463 vulnerability was discovered in PeachPay for WooCommerce plugin version 1.117.4 and earlier versions. The vulnerability was disclosed and patched in version 1.117.5, released on August 20, 2025. This security issue affected the order status endpoint in the plugin, which is used by WooCommerce stores for payment processing and checkout functionality (PeachPay Changelog).

The vulnerability was identified as a Broken Access Control issue in the order status endpoint (/wp-json/peachpay/v1/order/status). The flaw allowed unauthenticated users to modify order statuses due to improper authentication and authorization checks. This vulnerability exposed critical order management functionality that should have been restricted to authenticated administrators only (PeachPay Changelog).

The vulnerability could allow unauthorized users to manipulate order statuses in WooCommerce stores using PeachPay. This could potentially lead to financial losses through order manipulation, disruption of business operations, and compromise of order management integrity (PeachPay Changelog).

The vulnerability was patched in version 1.117.5 of the PeachPay for WooCommerce plugin. The fix included implementing proper authentication and authorization checks for the order status endpoint, adding multiple authentication methods for legitimate webhook and API access. Users are strongly advised to update to version 1.117.5 or later to protect their stores (PeachPay Changelog).