WordPress Plugin Vulnerabilities

Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update

Description

The plugin does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the plugin. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

Note: The issue is being actively exploited and only affects the Pro version (https://woocommerce.com/products/order-delivery-date/)

Proof of Concept

Affects Plugins

Plugin icon
order-delivery-date
Fixed in 12.3.1

References

CVE
CVE-2025-2907
URL
https://woocommerce.com/products/order-delivery-date/

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Mike Gozdiskowski
Submitter
Mike Gozdiskowski
Verified
Yes
WPVDB ID
2e513930-ec01-4dc6-8991-645c5267e14c

Timeline

Publicly Published
2025-04-04 (about 9 months ago)
Added
2025-03-28 (about 9 months ago)
Last Updated
2025-03-28 (about 9 months ago)

Other

Published
Title
Published
2024-04-26
Title
Admin Bar Remover < 1.0.23 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-11-03
Title
Snow Effect <= 1.1.19 - Missing Authorization
Published
2024-04-18
Title
ShopLentor < 2.8.2 - Contributor+ Template Reset
Published
2021-09-27
Title
WP Debugging < 2.11.0 - Unauthenticated Plugin's Settings Update
Published
2023-08-17
Title
Simple Org Chart < 2.3.5 - Unauthenticated Tree Settings Update