What is the severity of CVE-2025-2907?

CVE-2025-2907 is rated as a medium severity vulnerability due to its impact on the security of the Order Delivery Date WordPress plugin.

How do I fix CVE-2025-2907?

To fix CVE-2025-2907, update the Order Delivery Date WordPress plugin to version 12.3.1 or later.

What are the potential risks of CVE-2025-2907?

The risks of CVE-2025-2907 include unauthorized access and manipulation of plugin settings, potentially leading to broader site vulnerabilities.

Which versions are affected by CVE-2025-2907?

CVE-2025-2907 affects all versions of the Order Delivery Date WordPress plugin prior to 12.3.1.

Does CVE-2025-2907 affect other plugins or software?

CVE-2025-2907 specifically affects the Order Delivery Date WordPress plugin and does not impact other plugins.

Vulnerability/
CVE-2025-2907

critical

9.8

CWE

862 352

26/4/2025

29/4/2025

CVE-2025-2907: Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update

First published: Sat Apr 26 2025(Updated: )

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

Credit: contact@wpscan.com

Affected Software	Affected Version	How to fix
WooCommerce Order Delivery Date	<12.3.1

Never miss a vulnerability like this again

Reference Links

https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/

Frequently Asked Questions

What is the severity of CVE-2025-2907?
CVE-2025-2907 is rated as a medium severity vulnerability due to its impact on the security of the Order Delivery Date WordPress plugin.
How do I fix CVE-2025-2907?
To fix CVE-2025-2907, update the Order Delivery Date WordPress plugin to version 12.3.1 or later.
What are the potential risks of CVE-2025-2907?
The risks of CVE-2025-2907 include unauthorized access and manipulation of plugin settings, potentially leading to broader site vulnerabilities.
Which versions are affected by CVE-2025-2907?
CVE-2025-2907 affects all versions of the Order Delivery Date WordPress plugin prior to 12.3.1.
Does CVE-2025-2907 affect other plugins or software?
CVE-2025-2907 specifically affects the Order Delivery Date WordPress plugin and does not impact other plugins.

collector/mitre-cve
source/MITRE
agent/title
agent/references
agent/type
agent/weakness
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
agent/author
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/last-modified-date
agent/severity
agent/event
vendor/woocommerce
canonical/woocommerce order delivery date

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.