Plattform
wordpress
Komponente
clover-online-orders
Behoben in
1.6.1
CVE-2025-15635 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in ZAYTECH's Smart Online Order for Clover WordPress plugin. This flaw allows an attacker to trick authenticated users into unknowingly executing malicious actions, potentially leading to unauthorized modifications or data manipulation. The vulnerability impacts versions from 0.0.0 up to and including 1.6.0, and a fix is pending release.
A successful CSRF attack could allow an attacker to modify order settings, change user permissions, or even potentially gain access to sensitive customer data. The attacker would need to lure a victim into clicking a malicious link or visiting a crafted webpage while they are authenticated within the Smart Online Order for Clover plugin. The blast radius is limited to the scope of actions a user can perform within the plugin, but the potential for unauthorized changes and data compromise remains significant. This type of vulnerability is often exploited through phishing campaigns or by injecting malicious scripts into trusted websites.
This vulnerability was publicly disclosed on 2026-04-15. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 indicates a medium probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
As a primary mitigation, users should immediately upgrade to the patched version of Smart Online Order for Clover when it becomes available. Until then, implement strict input validation and output encoding within the plugin's code to prevent malicious requests from being processed. Consider implementing CSRF tokens for all sensitive actions within the plugin. Web Application Firewalls (WAFs) configured with CSRF protection rules can also help to block malicious requests. Regularly review user activity logs for suspicious patterns.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
A CSRF (Cross-Site Request Forgery) attack forces an authenticated user to perform unintended actions on a web application without their knowledge.
Monitor your Clover account for unusual activity, such as unauthorized orders or changes to settings.
Change your password immediately and contact Clover and ZAYTECH support.
While there's no official fix, implementing good security practices, such as CSRF token validation and user education, can help reduce the risk.
You can contact the application developer, ZAYTECH, or Clover support for more information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.