ORDER POST <= 2.0.2 - Exécution Arbitraire de Shortcode Non Authentifiée
Plateforme
wordpress
Composant
order-post
Corrigé dans
2.0.3
CVE-2025-2805 is a vulnerability affecting the ORDER POST plugin for WordPress, allowing for arbitrary shortcode execution. This flaw stems from insufficient validation of user-supplied input before utilizing the do_shortcode function, enabling unauthenticated attackers to inject and execute malicious shortcodes. The vulnerability impacts versions 0.0 through 2.0.2, and a patch is available in version 2.0.3.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2025-2805 allows an attacker to execute arbitrary shortcodes on a WordPress site using the vulnerable plugin. This can lead to a wide range of malicious activities, including website defacement, the injection of malicious content, and potentially even the execution of arbitrary code on the server. The attacker does not need to authenticate to exploit this vulnerability, making it particularly dangerous. The impact can range from minor disruptions to complete compromise of the WordPress site, depending on the shortcodes executed and the privileges associated with the WordPress user account running the plugin.
Contexte d'Exploitationtraduction en cours…
CVE-2025-2805 was publicly disclosed on April 10, 2025. There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability's lack of authentication requirement increases its risk profile. It is not currently listed on the CISA KEV catalog.
Qui Est à Risquetraduction en cours…
Websites utilizing the ORDER POST plugin, particularly those with limited security hardening or those running older, unpatched WordPress installations, are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable until the provider applies the update.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'do_shortcode(' /var/www/html/wp-content/plugins/order-post/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'order-post'• wordpress / composer / npm:
wp plugin update order-post• generic web: Check WordPress access logs for unusual shortcode usage patterns, particularly those originating from unauthenticated requests.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
1.35% (percentile 80%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Faible — accès partiel ou indirect à certaines données.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Faible — déni de service partiel ou intermittent.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-2805 is to immediately upgrade the ORDER POST plugin to version 2.0.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement without specific shortcode patterns, monitoring for unusual shortcode usage in WordPress access logs can provide an early warning sign. After upgrading, verify the fix by attempting to inject a simple, benign shortcode through a plugin setting or form field to confirm that it is properly sanitized.
Comment corrigertraduction en cours…
Actualice el plugin ORDER POST a la versión 2.0.3 o superior para mitigar la vulnerabilidad de ejecución arbitraria de shortcodes. Esta actualización corrige la falta de validación de valores antes de ejecutar la función do_shortcode, previniendo la ejecución no autorizada de shortcodes por parte de atacantes no autenticados.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-2805 — Arbitrary Shortcode in ORDER POST WordPress Plugin?
CVE-2025-2805 is a vulnerability in the ORDER POST WordPress plugin that allows unauthenticated attackers to execute arbitrary shortcodes due to improper input validation, potentially leading to website defacement or malicious code execution.
Am I affected by CVE-2025-2805 in ORDER POST WordPress Plugin?
You are affected if you are using the ORDER POST plugin in WordPress versions 0.0 through 2.0.2. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2025-2805 in ORDER POST WordPress Plugin?
Upgrade the ORDER POST plugin to version 2.0.3 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin.
Is CVE-2025-2805 being actively exploited?
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a likely target for attackers. Proactive mitigation is recommended.
Where can I find the official ORDER POST advisory for CVE-2025-2805?
Refer to the ORDER POST plugin's official website or WordPress plugin repository for the latest advisory and update information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.