CVE-2025-2907

CRITICAL
Published Apr 26, 2025 Modified May 14, 2025 CWE-352

Description

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

CVSS v3.1 Score

9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery

Affected Products

Vendor Product
tychesoftwares order_delivery_date_pro_for_woocommerce

References

Frequently Asked Questions

What is CVE-2025-2907? +
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover. It has a CVSS v3.1 base score of 9.8 (CRITICAL).
How severe is CVE-2025-2907? +
CVE-2025-2907 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.
What products are affected by CVE-2025-2907? +
CVE-2025-2907 affects products from tychesoftwares, specifically: order_delivery_date_pro_for_woocommerce. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-2907? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-2907 — free, no signup required.

Start Free Scan