CVE-2025-2907

nvd nist nuclei

Published: Apr 26, 2025Modified: May 14, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

Affected (1)

Products: Tychesoftwares: Order Delivery Date Pro For Woocommerce

1 product

Order Delivery Date Pro For Woocommerce

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tychesoftwares Order Delivery Date Pro For Woocommerce	Before 12.3.1

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.