Plataforma
wordpress
Componente
i-order-terms
Corregido en
1.5.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the I Order Terms WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability affects versions from 0.0.0 up to and including 1.5.0, and a patch is available in version 1.5.1.
The CSRF vulnerability in I Order Terms allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user clicks on a specially crafted link or visits a compromised website containing the malicious request, the attacker can perform actions as that user within the I Order Terms plugin. This could include modifying order terms, potentially leading to unauthorized changes to order configurations or other sensitive settings. The blast radius is limited to the scope of actions available within the plugin itself, but successful exploitation could still have significant consequences for e-commerce operations.
This vulnerability was publicly disclosed on 2025-11-21. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The medium CVSS score indicates a moderate risk of exploitation.
WordPress websites utilizing the I Order Terms plugin, particularly those running versions 0.0.0 through 1.5.0, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r 'i-order-terms/includes/class-i-order-terms.php' . |
grep -i 'wp_send_json_encode' # Look for potential vulnerable endpoints• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/i-order-terms/includes/class-i-order-terms.php | grep -i 'server'disclosure
Estado del Exploit
EPSS
0.03% (7% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-66097 is to immediately upgrade the I Order Terms plugin to version 1.5.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection. Regularly review WordPress plugin configurations and user permissions to minimize the potential impact of successful exploitation.
Actualizar a la versión 1.5.1 o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-66097 is a Cross-Site Request Forgery (CSRF) vulnerability in the I Order Terms WordPress plugin, allowing attackers to perform unauthorized actions.
Yes, if you are using I Order Terms versions 0.0.0 through 1.5.0, you are affected by this vulnerability.
Upgrade the I Order Terms plugin to version 1.5.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
Currently, there are no known active exploitation campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the official I Order Terms plugin website or WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.