CVE-2025-2907CRITICAL 9.8EPSS p66.6%

CVE-2025-2907CVE-2025-2907

Description

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.30% probability of exploitation · percentile 66.6% · 2026-06-19T12:03:05Z
Published2025-04-26
Last modified2025-05-14

Underlying weaknesses· 1

CWE-352

References

  1. https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/
  2. https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-2266
CVE
CVE-2025-3063
CVE
CVE-2025-2563
CVE
CVE-2025-15484
CVE
CVE-2025-2815
CVE
CVE-2025-14996
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.