Primary

Context

Order Delivery Date WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Option Updates

Vulnerability

Patched

A vulnerability exists in the Order Delivery Date WordPress plugin, specifically in versions prior to 12.3.1. The issue arises because the plugin lacks proper authorization and Cross-Site Request Forgery (CSRF) protections when importing settings. Additionally, it fails to restrict option updates to those relevant to the plugin. As a result, attackers can manipulate certain user role settings, such as changing the default user role to administrator and enabling user registration as an administrator, potentially leading to a complete takeover of the site.

Impact

Exploitation of this vulnerability allows for unauthorized users to gain administrative access to the WordPress site, effectively taking over the site.

Remediation

Users are advised to update the Order Delivery Date WordPress plugin to version 12.3.1 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

8.9

remediation

7.7

relevance

0.0

threat

6.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

8.9

remediation

7.7

relevance

0.0

threat

6.6

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Order Delivery Date WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Option Updates

Vulnerability

Impact

Remediation

Affected Products

Order Delivery Date

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating