Platform
wordpress
Component
wp-e-commerce-style-email
Fixed in
0.6.3
CVE-2025-30615 is a critical Remote Code Execution (RCE) vulnerability discovered in the WP e-Commerce Style Email plugin. This vulnerability allows attackers to inject code via Cross-Site Request Forgery (CSRF), potentially leading to complete server compromise. The vulnerability affects versions from 0.0.0 up to and including 0.6.2, and a patch is available in version 0.6.3.
The impact of CVE-2025-30615 is severe due to the RCE nature of the vulnerability. An attacker exploiting this flaw can execute arbitrary code on the WordPress server hosting the plugin. This could lead to data breaches, website defacement, malware installation, and complete server takeover. Given the plugin's function of handling email notifications related to e-commerce transactions, sensitive customer data like order details, addresses, and potentially payment information could be at risk. Successful exploitation could also allow for lateral movement within the network if the server has access to other resources.
CVE-2025-30615 was publicly disclosed on 2025-03-24. While no public exploits have been confirmed at the time of writing, the CRITICAL severity and RCE nature of the vulnerability make it a high-priority target for exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation via CSRF suggests potential for automated scanning and exploitation attempts.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30615 is to immediately upgrade the WP e-Commerce Style Email plugin to version 0.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting access to the plugin's administrative interface. This can be achieved through role-based access control within WordPress, limiting access to only authorized administrators. Additionally, implement strict CSRF protection measures across your WordPress site, utilizing plugins or custom code to validate requests. After upgrading, verify the fix by attempting to trigger the vulnerable endpoint with a crafted CSRF request and confirming that the request is rejected.
Update the WP e-Commerce Style Email plugin to the latest available version to mitigate the CSRF vulnerability that could allow remote code execution. Refer to the plugin repository on wordpress.org for the updated version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30615 is a critical Remote Code Execution vulnerability in the WP e-Commerce Style Email plugin, allowing attackers to inject code via CSRF.
You are affected if you are using WP e-Commerce Style Email versions 0.0.0 through 0.6.2. Upgrade immediately.
Upgrade the plugin to version 0.6.3 or later. As a temporary workaround, restrict access to the plugin's administrative interface.
While no confirmed exploitation is public, the vulnerability's severity and ease of exploitation suggest a high risk of active exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.