Authorization Bypass Vulnerability in Order Delivery Date Plugin by WordPress
CVE-2025-2907

Currently unrated

Key Information:

Vendor: WordPress
Status: Order Delivery Date
Vendor: CVE Published:; 26 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Order Delivery Date WordPress plugin, prior to version 12.3.1, is susceptible to an authorization bypass that allows attackers to manipulate site settings. This vulnerability arises due to the absence of adequate authorization and CSRF checks during the import of plugin settings. Consequently, attackers could exploit this flaw to alter critical options, such as changing the default user role to 'administrator' and enabling user registration as an administrator. This breach can lead to a complete takeover of the site, compromising its security and integrity.

Affected Version(s)

Order Delivery Date 2.0 < 12.3.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-2907 - Proof of Concept

References

https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Apr 26, 2025
👾
Exploit known to exist
Apr 26, 2025
Vulnerability published
Apr 26, 2025
Vulnerability Reserved
Mar 28, 2025

Credit

Mike Gozdiskowski

WPScan