WordPress WP e-Commerce Style Email plugin <= 0.6.2 - CSRF to Remote Code Execution vulnerability
wird übersetzt…Plattform
wordpress
Komponente
wp-e-commerce-style-email
Behoben in
0.6.3
CVE-2025-30615 is a critical Remote Code Execution (RCE) vulnerability discovered in the WP e-Commerce Style Email plugin. This vulnerability allows attackers to inject code via Cross-Site Request Forgery (CSRF), potentially leading to complete server compromise. The vulnerability affects versions from 0.0.0 up to and including 0.6.2, and a patch is available in version 0.6.3.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-30615 can leverage CSRF to execute arbitrary code on the server hosting the WordPress site. This could involve defacing the website, stealing sensitive data (customer information, financial records, etc.), installing malware, or using the compromised server as a launchpad for further attacks against other systems on the network. The ability to inject code grants the attacker a high degree of control over the affected system, making it a significant security risk. The CSRF aspect means an attacker doesn't necessarily need to authenticate to exploit the vulnerability, making it easier to exploit.
Ausnutzungskontext
CVE-2025-30615 was publicly disclosed on 2025-03-24. Currently, no known public exploits or active campaigns targeting this vulnerability have been reported. The vulnerability is not listed on the CISA KEV catalog as of this writing. The presence of a CSRF vulnerability combined with RCE capabilities suggests a potential for exploitation if a suitable exploit is developed and disseminated.
Wer Ist Gefährdetwird übersetzt…
Websites utilizing the WP e-Commerce Style Email plugin, particularly those running older, unpatched versions (0.0.0 - 0.6.2), are at significant risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
Erkennungsschrittewird übersetzt…
• wordpress / composer / npm:
grep -r "wp_e_commerce_style_email" /var/www/html/• wordpress / composer / npm:
wp plugin list --status=inactive | grep wp-e-commerce-style-email• wordpress / composer / npm:
wp plugin list --status=active | grep wp-e-commerce-style-email• generic web: Check for unusual POST requests to plugin endpoints in access logs. • generic web: Monitor for unexpected file modifications in the plugin's directory.
Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Erforderlich — Opfer muss eine Datei öffnen, auf einen Link klicken oder eine Seite besuchen.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2025-30615 is to immediately upgrade the WP e-Commerce Style Email plugin to version 0.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting access to the vulnerable endpoints. This can be achieved through WordPress access control plugins or by modifying the .htaccess file to block unauthorized requests. Monitor WordPress logs for suspicious activity related to the plugin, specifically looking for unusual code execution attempts. After upgrading, verify the fix by attempting to trigger the CSRF vulnerability using a test payload and confirming that the code injection is prevented.
So behebenwird übersetzt…
Actualice el plugin WP e-Commerce Style Email a la última versión disponible para mitigar la vulnerabilidad de CSRF que podría permitir la ejecución remota de código. Consulte el repositorio del plugin en wordpress.org para obtener la versión actualizada.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-30615 — RCE in WP e-Commerce Style Email?
CVE-2025-30615 is a critical Remote Code Execution vulnerability in the WP e-Commerce Style Email plugin, allowing attackers to inject code via CSRF.
Am I affected by CVE-2025-30615 in WP e-Commerce Style Email?
You are affected if you are using WP e-Commerce Style Email versions 0.0.0 through 0.6.2. Upgrade immediately.
How do I fix CVE-2025-30615 in WP e-Commerce Style Email?
Upgrade the plugin to version 0.6.3 or later. As a temporary workaround, restrict access to the plugin's administrative interface.
Is CVE-2025-30615 being actively exploited?
While no confirmed exploitation is public, the vulnerability's severity and ease of exploitation suggest a high risk of active exploitation.
Where can I find the official WP e-Commerce Style Email advisory for CVE-2025-30615?
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.