Platform
wordpress
Component
clover-online-orders
Fixed in
1.6.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Zaytech Smart Online Order for Clover, potentially allowing attackers to perform unauthorized actions on behalf of authenticated users. Successful exploitation could lead to unintended data modification or other malicious activities. This vulnerability impacts versions from n/a up to and including 1.6.0. No official patch is currently available.
CVE-2025-15635 affects Smart Online Order for Clover, enabling Cross-Site Request Forgery (CSRF) attacks. This means an attacker could trick an authenticated user into performing unintended actions within the application without their knowledge. These actions could include modifying orders, changing settings, or even initiating financial transactions. This vulnerability poses a significant risk to businesses utilizing Clover for online order management, potentially compromising operational integrity and data security. The affected versions range from n/a through 1.6.0 inclusive. The absence of a provided fix highlights the urgency of addressing this issue until an update is released.
An attacker could exploit this vulnerability by sending a malicious link or embedding malicious code within a website or email. When an authenticated user of Smart Online Order for Clover clicks the link or visits the compromised website, their browser will send a request to the Clover server with their credentials. The attacker can then manipulate this request to perform unauthorized actions on behalf of the user. The difficulty of exploitation depends on the attacker's ability to deceive the user and the complexity of the actions they wish to perform. The lack of CSRF protection within the application significantly simplifies this type of attack.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
Given the lack of an official fix from the developer, mitigation efforts focus on general security best practices and continuous monitoring. Implementing CSRF token validation in critical requests, educating users about phishing risks, and limiting user privileges are recommended. Regularly monitoring application activity for suspicious patterns indicative of a CSRF attack is crucial. Directly contacting ZAYTECH, the developer, to request an update and report the vulnerability is also advised. Keeping all systems and browsers updated to the latest versions can further reduce overall risk.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
A CSRF (Cross-Site Request Forgery) attack forces an authenticated user to perform unintended actions on a web application without their knowledge.
Monitor your Clover account for unusual activity, such as unauthorized orders or changes to settings.
Change your password immediately and contact Clover and ZAYTECH support.
While there's no official fix, implementing good security practices, such as CSRF token validation and user education, can help reduce the risk.
You can contact the application developer, ZAYTECH, or Clover support for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.