Platform
wordpress
Component
kirimemail-woocommerce-integration
Fixed in
1.3.0
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Kirim.Email WooCommerce Integration plugin for WordPress. This flaw, present in versions 1.0.0 through 1.2.9, allows unauthenticated attackers to potentially modify the plugin's API credentials and integration settings. The vulnerability stems from a lack of nonce validation on the plugin's settings page. A fix is available in version 1.3.0.
Successful exploitation of this CSRF vulnerability allows an attacker to forge requests that appear to originate from a legitimate administrator. This enables them to modify critical plugin settings, such as API keys and integration configurations, without proper authentication. Compromising these settings could lead to unauthorized sending of emails, data breaches if API keys grant access to sensitive information, and potential disruption of WooCommerce order processing. The attacker needs to trick an administrator into clicking a malicious link or visiting a crafted page to trigger the forged request.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later, which includes the necessary nonce validation. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the plugin's settings endpoint. Carefully review user permissions and restrict access to the plugin's settings page to only authorized administrators. Regularly audit the plugin's configuration for any unauthorized changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14165 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Kirim.Email WooCommerce Integration versions 1.0.0–1.2.9, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses Kirim.Email WooCommerce Integration version 1.0.0 through 1.2.9. Upgrade to 1.3.0 or later to mitigate the risk.
Upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later. Consider WAF rules and restricted admin access as temporary mitigations.
There is no confirmed active exploitation of CVE-2025-14165 at this time, but the vulnerability is publicly known.
Refer to the Kirim.Email plugin documentation or their official website for the latest advisory regarding CVE-2025-14165.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.