プラットフォーム
wordpress
コンポーネント
kirimemail-woocommerce-integration
修正版
1.3.0
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Kirim.Email WooCommerce Integration plugin for WordPress. This flaw, present in versions 1.0.0 through 1.2.9, allows unauthenticated attackers to potentially modify the plugin's API credentials and integration settings. The vulnerability stems from a lack of nonce validation on the plugin's settings page. A fix is available in version 1.3.0.
Successful exploitation of this CSRF vulnerability allows an attacker to forge requests that appear to originate from a legitimate administrator. This enables them to modify critical plugin settings, such as API keys and integration configurations, without proper authentication. Compromising these settings could lead to unauthorized sending of emails, data breaches if API keys grant access to sensitive information, and potential disruption of WooCommerce order processing. The attacker needs to trick an administrator into clicking a malicious link or visiting a crafted page to trigger the forged request.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Kirim.Email WooCommerce Integration plugin, particularly those with shared hosting environments or legacy configurations where administrator access is not strictly controlled, are at risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'kirim_email_settings' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep Kirim.Email• generic web: Check for unusual API key changes in WooCommerce email settings. Monitor WordPress admin activity logs for suspicious requests to the Kirim.Email plugin settings page.
disclosure
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later, which includes the necessary nonce validation. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the plugin's settings endpoint. Carefully review user permissions and restrict access to the plugin's settings page to only authorized administrators. Regularly audit the plugin's configuration for any unauthorized changes.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-14165 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Kirim.Email WooCommerce Integration versions 1.0.0–1.2.9, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses Kirim.Email WooCommerce Integration version 1.0.0 through 1.2.9. Upgrade to 1.3.0 or later to mitigate the risk.
Upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later. Consider WAF rules and restricted admin access as temporary mitigations.
There is no confirmed active exploitation of CVE-2025-14165 at this time, but the vulnerability is publicly known.
Refer to the Kirim.Email plugin documentation or their official website for the latest advisory regarding CVE-2025-14165.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。