平台
wordpress
组件
kirimemail-woocommerce-integration
修复版本
1.3.0
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Kirim.Email WooCommerce Integration plugin for WordPress. This flaw, present in versions 1.0.0 through 1.2.9, allows unauthenticated attackers to potentially modify the plugin's API credentials and integration settings. The vulnerability stems from a lack of nonce validation on the plugin's settings page. A fix is available in version 1.3.0.
Successful exploitation of this CSRF vulnerability allows an attacker to forge requests that appear to originate from a legitimate administrator. This enables them to modify critical plugin settings, such as API keys and integration configurations, without proper authentication. Compromising these settings could lead to unauthorized sending of emails, data breaches if API keys grant access to sensitive information, and potential disruption of WooCommerce order processing. The attacker needs to trick an administrator into clicking a malicious link or visiting a crafted page to trigger the forged request.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's CVSS score of 4.3 (MEDIUM) indicates a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Kirim.Email WooCommerce Integration plugin, particularly those with shared hosting environments or legacy configurations where administrator access is not strictly controlled, are at risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'kirim_email_settings' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep Kirim.Email• generic web: Check for unusual API key changes in WooCommerce email settings. Monitor WordPress admin activity logs for suspicious requests to the Kirim.Email plugin settings page.
disclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later, which includes the necessary nonce validation. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the plugin's settings endpoint. Carefully review user permissions and restrict access to the plugin's settings page to only authorized administrators. Regularly audit the plugin's configuration for any unauthorized changes.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-14165 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Kirim.Email WooCommerce Integration versions 1.0.0–1.2.9, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses Kirim.Email WooCommerce Integration version 1.0.0 through 1.2.9. Upgrade to 1.3.0 or later to mitigate the risk.
Upgrade the Kirim.Email WooCommerce Integration plugin to version 1.3.0 or later. Consider WAF rules and restricted admin access as temporary mitigations.
There is no confirmed active exploitation of CVE-2025-14165 at this time, but the vulnerability is publicly known.
Refer to the Kirim.Email plugin documentation or their official website for the latest advisory regarding CVE-2025-14165.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。