Platform
wordpress
Component
kirimemail-woocommerce-integration
Opgelost in
1.3.0
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Kirim.Email WooCommerce Integration plugin for WordPress. This flaw, present in versions 1.0.0 through 1.2.9, allows unauthenticated attackers to potentially modify the plugin's API credentials and integration settings. The vulnerability stems from a lack of nonce validation on the plugin's settings page. A fix is available in version 1.3.0.
Successful exploitation of this CSRF vulnerability allows an attacker to forge requests that appear to originate from a legitimate administrator. This enables them to modify critical plugin settings, such as API keys and integration configurations, without proper authentication. Compromising these settings could lead to unauthorized sending of emails, data breaches if API keys grant access to sensitive information, and potential disruption of WooCommerce order processing. The attacker needs to trick an administrator into clicking a malicious link or visiting a crafted page to trigger the forged request.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Kirim.Email WooCommerce Integration plugin, particularly those with shared hosting environments or legacy configurations where administrator access is not strictly controlled, are at risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'kirim_email_settings' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep Kirim.Email• generic web: Check for unusual API key changes in WooCommerce email settings. Monitor WordPress admin activity logs for suspicious requests to the Kirim.Email plugin settings page.
disclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later, which includes the necessary nonce validation. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the plugin's settings endpoint. Carefully review user permissions and restrict access to the plugin's settings page to only authorized administrators. Regularly audit the plugin's configuration for any unauthorized changes.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14165 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Kirim.Email WooCommerce Integration versions 1.0.0–1.2.9, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses Kirim.Email WooCommerce Integration version 1.0.0 through 1.2.9. Upgrade to 1.3.0 or later to mitigate the risk.
Upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later. Consider WAF rules and restricted admin access as temporary mitigations.
There is no confirmed active exploitation of CVE-2025-14165 at this time, but the vulnerability is publicly known.
Refer to the Kirim.Email plugin documentation or their official website for the latest advisory regarding CVE-2025-14165.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.