CVE-2025-2907 – WordPress Order Delivery Date Plugin Authentication Bypass and CSRF Vulnerability

April 26, 2025

CVE ID : CVE-2025-2907

Published : April 26, 2025, 6:15 a.m. | 1 hour, 13 minutes ago

Description : The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-3906 – Eduzz WooCommerce Unauthorized Data Modification Vulnerability

Next Article CVE-2025-3914 – Airtable Aeropage Sync for WordPress Unauthenticated Arbitrary File Upload Vulnerability

Sunshine And March Vibes (2025 Wallpapers Edition)

The Case For Minimal WordPress Setups: A Contrarian View On Theme Frameworks

How To Fix Largest Contentful Paint Issues With Subpart Analysis

How To Prevent WordPress SQL Injection Attacks

Microsoft has closed its “Experience Center” store in Sydney, Australia — as it ramps up a continued digital growth campaign

Bing Search APIs to be “decommissioned completely” as Microsoft urges developers to use its Azure agentic AI alternative

Microsoft might kill the Surface Laptop Studio as production is quietly halted

Minecraft licensing robbed us of this controversial NFL schedule release video

The power of generators

The power of generators

Simplify Factory Associations with Laravel’s UseFactory Attribute

This Week in Laravel: React Native, PhpStorm Junie, and more

Microsoft has closed its “Experience Center” store in Sydney, Australia — as it ramps up a continued digital growth campaign

Microsoft has closed its “Experience Center” store in Sydney, Australia — as it ramps up a continued digital growth campaign

Bing Search APIs to be “decommissioned completely” as Microsoft urges developers to use its Azure agentic AI alternative

Microsoft might kill the Surface Laptop Studio as production is quietly halted

CVE-2025-2907 – WordPress Order Delivery Date Plugin Authentication Bypass and CSRF Vulnerability

Nmap 7.96 Launches with Lightning-Fast DNS and 612 Scripts

CVE-2025-4610 – WordPress WP-Members Membership Plugin Stored Cross-Site Scripting Vulnerability

Using the Web Audio API to simulate various sets of tuning forks.

Schlage’s new smart lock will unlock the door for you – completely hands-free

Researchers from Sea AI Lab, UCAS, NUS, and SJTU Introduce FlowReasoner: a Query-Level Meta-Agent for Personalized System Generation

The best free password managers of 2024: Expert tested

Ubisoft says you don’t own your video games, read the fine print

Digital Copyright Policy

Offpunk is an offline-first command-line browser

10 Siri tips and tricks to make it less terrible (and more helpful)

CVE-2025-2907 – WordPress Order Delivery Date Plugin Authentication Bypass and CSRF Vulnerability

Related Posts