Plataforma
wordpress
Componente
usb-qr-code-scanner-for-woocommerce
Corrigido em
1.0.1
CVE-2025-12588 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the USB Qr Code Scanner For Woocommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify the plugin's settings by crafting malicious requests and tricking administrators into executing them. The vulnerability impacts versions up to and including 1.0.0. A fix is expected in a future plugin release.
An attacker can exploit this CSRF vulnerability to maliciously alter the plugin's configuration. This could involve changing settings that impact how the plugin interacts with WooCommerce, potentially leading to data manipulation or unauthorized actions within the e-commerce store. The attacker needs to lure an administrator into clicking a crafted link containing the malicious request. Successful exploitation could compromise the integrity of the WooCommerce store and potentially expose sensitive data.
This vulnerability was publicly disclosed on 2025-11-11. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's severity is considered medium, indicating a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress site administrators who use the USB Qr Code Scanner For Woocommerce plugin are at risk. Shared hosting environments where multiple WordPress sites share the same server resources could be particularly vulnerable, as an attacker might be able to exploit the vulnerability on one site to gain access to others.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/usb-qr-code-scanner-for-woocommerce/includes/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=usb_qr_code_scanner_settings_update&some_malicious_parameter=value | grep -i '200 ok'disclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-12588 is to upgrade to a patched version of the USB Qr Code Scanner For Woocommerce plugin once available. Until a patch is released, consider implementing stricter access controls and user awareness training to prevent administrators from clicking suspicious links. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Regularly review plugin settings for any unauthorized changes.
Para solucionar esta vulnerabilidade, atualize o plugin USB Qr Code Scanner For Woocommerce para a última versão disponível. A atualização incluirá a validação de nonce necessária para prevenir ataques de Cross-Site Request Forgery (CSRF) na página de configuração.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-12588 is a Cross-Site Request Forgery (CSRF) vulnerability in the USB Qr Code Scanner For Woocommerce WordPress plugin, allowing attackers to modify settings via forged requests.
You are affected if you are using the USB Qr Code Scanner For Woocommerce plugin version 1.0.0 or earlier.
Upgrade to a patched version of the plugin once available. Until then, implement stricter access controls and WAF rules.
There is no confirmed active exploitation of CVE-2025-12588 at this time, but the vulnerability is publicly known.
Check the plugin developer's website or WordPress plugin repository for updates and advisories related to CVE-2025-12588.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.