Platform
wordpress
Component
usb-qr-code-scanner-for-woocommerce
Opgelost in
1.0.1
CVE-2025-12588 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the USB Qr Code Scanner For Woocommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify the plugin's settings by crafting malicious requests and tricking administrators into executing them. The vulnerability impacts versions up to and including 1.0.0. A fix is expected in a future plugin release.
An attacker can exploit this CSRF vulnerability to maliciously alter the plugin's configuration. This could involve changing settings that impact how the plugin interacts with WooCommerce, potentially leading to data manipulation or unauthorized actions within the e-commerce store. The attacker needs to lure an administrator into clicking a crafted link containing the malicious request. Successful exploitation could compromise the integrity of the WooCommerce store and potentially expose sensitive data.
This vulnerability was publicly disclosed on 2025-11-11. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's severity is considered medium, indicating a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress site administrators who use the USB Qr Code Scanner For Woocommerce plugin are at risk. Shared hosting environments where multiple WordPress sites share the same server resources could be particularly vulnerable, as an attacker might be able to exploit the vulnerability on one site to gain access to others.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/usb-qr-code-scanner-for-woocommerce/includes/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=usb_qr_code_scanner_settings_update&some_malicious_parameter=value | grep -i '200 ok'disclosure
Exploit Status
EPSS
0.02% (6% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-12588 is to upgrade to a patched version of the USB Qr Code Scanner For Woocommerce plugin once available. Until a patch is released, consider implementing stricter access controls and user awareness training to prevent administrators from clicking suspicious links. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Regularly review plugin settings for any unauthorized changes.
Om deze kwetsbaarheid te verhelpen, update de USB Qr Code Scanner For Woocommerce plugin naar de laatste beschikbare versie. De update zal de benodigde nonce validatie bevatten om Cross-Site Request Forgery (CSRF) aanvallen op de configuratiepagina te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-12588 is a Cross-Site Request Forgery (CSRF) vulnerability in the USB Qr Code Scanner For Woocommerce WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using the USB Qr Code Scanner For Woocommerce plugin version 1.0.0 or earlier.
Upgrade to a patched version of the plugin once available. Until then, implement stricter access controls and WAF rules.
There is no confirmed active exploitation of CVE-2025-12588 at this time, but the vulnerability is publicly known.
Check the plugin developer's website or WordPress plugin repository for updates and advisories related to CVE-2025-12588.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.