CVE-2025-68016 in Payment Gateway for WooCommerce Plugin
Summary
by MITRE • 01/22/2026
Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects onepay Payment Gateway For WooCommerce: from n/a through <= 1.1.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/27/2026
The CVE-2025-68016 vulnerability represents a critical missing authorization flaw within the Onepay Sri Lanka onepay Payment Gateway For WooCommerce plugin version 1.1.2 and earlier. This security weakness stems from incorrectly configured access control security levels that fail to properly validate user permissions before granting access to sensitive administrative functions. The vulnerability exists within the payment gateway integration system that connects WooCommerce e-commerce platforms with Onepay's payment processing infrastructure, creating a pathway for unauthorized access to payment processing controls and configuration settings.
This missing authorization vulnerability falls under the CWE-285 category of Improper Authorization, specifically manifesting as an Incorrectly Configured Access Control Security Levels issue. The flaw allows attackers to bypass normal authentication mechanisms and gain access to administrative functions that should only be available to authorized administrators or merchants. The vulnerability is particularly concerning because it affects the core payment processing functionality of WooCommerce stores, potentially enabling attackers to manipulate payment transactions, modify payment gateway configurations, or access sensitive financial data.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential financial fraud and data compromise. Attackers exploiting this flaw could manipulate payment processing workflows, redirect payments to unauthorized accounts, modify transaction records, or extract sensitive merchant information. The vulnerability affects the entire WooCommerce ecosystem integration with Onepay's payment gateway, potentially exposing numerous online stores to financial risk and compromising customer payment data. This issue represents a significant threat to e-commerce security as it undermines the fundamental trust model between online retailers and their payment processing partners.
Mitigation strategies for CVE-2025-68016 should prioritize immediate plugin updates to version 1.1.3 or later where the authorization flaw has been addressed. System administrators should implement comprehensive access control reviews and ensure that all administrative interfaces properly validate user permissions before granting access to sensitive functions. Network segmentation and monitoring of payment gateway interactions can help detect unauthorized access attempts. Organizations should also conduct thorough security assessments of their payment processing integrations and implement principle of least privilege access controls. The vulnerability demonstrates the critical importance of proper access control implementation in payment processing systems and aligns with ATT&CK technique T1078 for Valid Accounts and T1566 for Phishing to understand potential exploitation vectors. Regular security audits of third-party plugins and payment gateway integrations remain essential for maintaining robust security postures in e-commerce environments.