Platform
wordpress
Component
order-post
Opgelost in
2.0.3
CVE-2025-2805 is a vulnerability affecting the ORDER POST plugin for WordPress, allowing for arbitrary shortcode execution. This flaw stems from insufficient validation of user-supplied input before utilizing the do_shortcode function, enabling unauthenticated attackers to inject and execute malicious shortcodes. The vulnerability impacts versions 0.0 through 2.0.2, and a patch is available in version 2.0.3.
Successful exploitation of CVE-2025-2805 allows an attacker to execute arbitrary shortcodes on a WordPress site using the vulnerable plugin. This can lead to a wide range of malicious activities, including website defacement, the injection of malicious content, and potentially even the execution of arbitrary code on the server. The attacker does not need to authenticate to exploit this vulnerability, making it particularly dangerous. The impact can range from minor disruptions to complete compromise of the WordPress site, depending on the shortcodes executed and the privileges associated with the WordPress user account running the plugin.
CVE-2025-2805 was publicly disclosed on April 10, 2025. There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability's lack of authentication requirement increases its risk profile. It is not currently listed on the CISA KEV catalog.
Websites utilizing the ORDER POST plugin, particularly those with limited security hardening or those running older, unpatched WordPress installations, are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable until the provider applies the update.
• wordpress / composer / npm:
grep -r 'do_shortcode(' /var/www/html/wp-content/plugins/order-post/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'order-post'• wordpress / composer / npm:
wp plugin update order-post• generic web: Check WordPress access logs for unusual shortcode usage patterns, particularly those originating from unauthenticated requests.
disclosure
Exploit Status
EPSS
1.35% (80% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-2805 is to immediately upgrade the ORDER POST plugin to version 2.0.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement without specific shortcode patterns, monitoring for unusual shortcode usage in WordPress access logs can provide an early warning sign. After upgrading, verify the fix by attempting to inject a simple, benign shortcode through a plugin setting or form field to confirm that it is properly sanitized.
Actualice el plugin ORDER POST a la versión 2.0.3 o superior para mitigar la vulnerabilidad de ejecución arbitraria de shortcodes. Esta actualización corrige la falta de validación de valores antes de ejecutar la función do_shortcode, previniendo la ejecución no autorizada de shortcodes por parte de atacantes no autenticados.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-2805 is a vulnerability in the ORDER POST WordPress plugin that allows unauthenticated attackers to execute arbitrary shortcodes due to improper input validation, potentially leading to website defacement or malicious code execution.
You are affected if you are using the ORDER POST plugin in WordPress versions 0.0 through 2.0.2. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the ORDER POST plugin to version 2.0.3 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin.
While no public exploits are currently known, the vulnerability's ease of exploitation makes it a likely target for attackers. Proactive mitigation is recommended.
Refer to the ORDER POST plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.