Platform
wordpress
Component
torod
Fixed in
1.10.0
CVE-2025-12373 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the Torod WordPress plugin. This flaw allows unauthenticated attackers to manipulate plugin settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.9, and a fix is available in version 2.0.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the Torod plugin's settings. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would silently execute a request to change shipping configurations, update API keys, or alter other critical plugin parameters. This could lead to incorrect shipping rates, compromised data, or even complete disruption of the e-commerce platform's shipping functionality. The blast radius extends to any website using the vulnerable Torod plugin, and the ease of exploitation makes it a significant risk, particularly for sites with a large administrator base.
This vulnerability was publicly disclosed on 2025-12-05. There is currently no indication of active exploitation campaigns targeting this specific CVE. The vulnerability's relatively low CVSS score (4.3) suggests a lower probability of exploitation compared to more critical vulnerabilities. No public proof-of-concept (PoC) code has been identified as of this writing.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Torod plugin to version 2.0 or later, which addresses the nonce validation issue. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the savesettings endpoint that lack proper CSRF protection. Additionally, educate administrators about the risks of clicking on suspicious links or visiting untrusted websites. After upgrading, confirm the fix by attempting to access the savesettings endpoint with a forged request and verifying that the action is rejected.
Update to version 2.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12373 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Torod WordPress plugin, allowing attackers to modify plugin settings without authentication.
You are affected if you are using Torod WordPress plugin versions 1.0.0 through 1.9. Upgrade to version 2.0 to mitigate the risk.
Upgrade the Torod plugin to version 2.0 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the save_settings endpoint.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-12373, but it remains a potential risk.
Refer to the Torod plugin's official website or WordPress plugin directory for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.