Platform
wordpress
Component
torod
Opgelost in
1.10.0
CVE-2025-12373 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the Torod WordPress plugin. This flaw allows unauthenticated attackers to manipulate plugin settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.9, and a fix is available in version 2.0.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the Torod plugin's settings. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would silently execute a request to change shipping configurations, update API keys, or alter other critical plugin parameters. This could lead to incorrect shipping rates, compromised data, or even complete disruption of the e-commerce platform's shipping functionality. The blast radius extends to any website using the vulnerable Torod plugin, and the ease of exploitation makes it a significant risk, particularly for sites with a large administrator base.
This vulnerability was publicly disclosed on 2025-12-05. There is currently no indication of active exploitation campaigns targeting this specific CVE. The vulnerability's relatively low CVSS score (4.3) suggests a lower probability of exploitation compared to more critical vulnerabilities. No public proof-of-concept (PoC) code has been identified as of this writing.
Websites utilizing the Torod plugin for shipping and delivery management are at risk. Specifically, sites with multiple administrators or those that frequently allow guest access to administrative areas are more vulnerable, as the attacker only needs to compromise one administrator account to exploit the vulnerability.
• wordpress / composer / npm:
grep -r 'save_settings' /var/www/html/wp-content/plugins/torod/• wordpress / composer / npm:
wp plugin list --status=all | grep torod• wordpress / composer / npm:
wp plugin update torod• generic web: Check WordPress plugin directory for updates and security advisories related to Torod.
disclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation is to immediately upgrade the Torod plugin to version 2.0 or later, which addresses the nonce validation issue. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the savesettings endpoint that lack proper CSRF protection. Additionally, educate administrators about the risks of clicking on suspicious links or visiting untrusted websites. After upgrading, confirm the fix by attempting to access the savesettings endpoint with a forged request and verifying that the action is rejected.
Update naar versie 2.0, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-12373 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Torod WordPress plugin, allowing attackers to modify plugin settings without authentication.
You are affected if you are using Torod WordPress plugin versions 1.0.0 through 1.9. Upgrade to version 2.0 to mitigate the risk.
Upgrade the Torod plugin to version 2.0 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the save_settings endpoint.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-12373, but it remains a potential risk.
Refer to the Torod plugin's official website or WordPress plugin directory for the latest security advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.