Plateforme
wordpress
Composant
usb-qr-code-scanner-for-woocommerce
Corrigé dans
1.0.1
CVE-2025-12588 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the USB Qr Code Scanner For Woocommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify the plugin's settings by crafting malicious requests and tricking administrators into executing them. The vulnerability impacts versions up to and including 1.0.0. A fix is expected in a future plugin release.
An attacker can exploit this CSRF vulnerability to maliciously alter the plugin's configuration. This could involve changing settings that impact how the plugin interacts with WooCommerce, potentially leading to data manipulation or unauthorized actions within the e-commerce store. The attacker needs to lure an administrator into clicking a crafted link containing the malicious request. Successful exploitation could compromise the integrity of the WooCommerce store and potentially expose sensitive data.
This vulnerability was publicly disclosed on 2025-11-11. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's severity is considered medium, indicating a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress site administrators who use the USB Qr Code Scanner For Woocommerce plugin are at risk. Shared hosting environments where multiple WordPress sites share the same server resources could be particularly vulnerable, as an attacker might be able to exploit the vulnerability on one site to gain access to others.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/usb-qr-code-scanner-for-woocommerce/includes/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=usb_qr_code_scanner_settings_update&some_malicious_parameter=value | grep -i '200 ok'disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-12588 is to upgrade to a patched version of the USB Qr Code Scanner For Woocommerce plugin once available. Until a patch is released, consider implementing stricter access controls and user awareness training to prevent administrators from clicking suspicious links. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Regularly review plugin settings for any unauthorized changes.
Pour corriger cette vulnérabilité, mettez à jour le plugin USB Qr Code Scanner For Woocommerce vers la dernière version disponible. La mise à jour inclura la validation de nonce nécessaire pour prévenir les attaques de Cross-Site Request Forgery (CSRF) sur la page de configuration.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12588 is a Cross-Site Request Forgery (CSRF) vulnerability in the USB Qr Code Scanner For Woocommerce WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using the USB Qr Code Scanner For Woocommerce plugin version 1.0.0 or earlier.
Upgrade to a patched version of the plugin once available. Until then, implement stricter access controls and WAF rules.
There is no confirmed active exploitation of CVE-2025-12588 at this time, but the vulnerability is publicly known.
Check the plugin developer's website or WordPress plugin repository for updates and advisories related to CVE-2025-12588.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.