1. Home
  2. CVE Database
  3. CVE-2025-2907
CRITICAL · 9.8

CVE-2025-2907

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to t...

Vulnerability Description

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
TychesoftwaresOrder Delivery Date Pro For Woocommerce< 12.3.1

Related Weaknesses (CWE)

CWE-352

References

FAQ

What is CVE-2025-2907?

CVE-2025-2907 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to t...

How severe is CVE-2025-2907?

CVE-2025-2907 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-2907?

Check the references section above for vendor advisories and patch information. Affected products include: Tychesoftwares Order Delivery Date Pro For Woocommerce.