Main Vulnerability Database SB2026012036

SB2026012036 - Missing Authorization in Wallet System for WooCommerce plugin for WordPress

Published: January 20, 2026

Security Bulletin ID SB2026012036

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authorization (CVE-ID: CVE-2025-14450)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing authorization checks in the "change_wallet_fund_request_status_callback" function. A remote user can manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.

Remediation

Install update from vendor's website.

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wallet-system-for-woocommerce/wallet-system-for-woocommerce-272-missing-authorization-to-authenticated-subscriber-arbitrary-wallet-balance-manipulation