CVE-2025-13179 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2025-13179?

CVE-2025-13179 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System. Attackers can trick authenticated users into performing unintended actions by crafting malicious requests. All users of affected versions are vulnerable to this attack.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System. Attackers can trick authenticated users into performing unintended actions by crafting malicious requests. All users of affected versions are vulnerable to this attack.

💻 Affected Systems

Products:

Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System

Versions: Up to and including 20250320

Operating Systems: All platforms running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with default configurations are vulnerable. The vulnerability affects unknown processing components within the system.

📦 What is this software?

Wholesale by Bdtask

View all CVEs affecting Wholesale →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could perform administrative actions such as creating new admin accounts, modifying inventory data, or deleting critical business information without the legitimate user's knowledge.

🟠

Likely Case

Attackers will likely use this to modify inventory records, create fraudulent transactions, or steal sensitive business data through crafted requests.

🟢

If Mitigated

With proper CSRF protections and user awareness, the impact is limited as attackers cannot directly execute code or access data without user interaction.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires user interaction but is technically simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider implementing workarounds or migrating to alternative software.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection tokens to all state-changing forms and requests

Implement anti-CSRF tokens in application code

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax attributes on session cookies

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF patterns
Restrict application access to trusted networks only and implement strict user session management

🔍 How to Verify

Check if Vulnerable:

Check if your system version is 20250320 or earlier by reviewing the application version in admin panel or source code

Check Version:

Check application configuration files or admin dashboard for version information

Verify Fix Applied:

Test forms and state-changing requests to ensure they include and validate CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Multiple state-changing requests from same IP without corresponding GET requests
Unusual administrative actions from non-admin user sessions

Network Indicators:

HTTP POST/PUT requests without Referer headers or CSRF tokens
Requests with unexpected parameters or values

SIEM Query:

source="web_app_logs" AND (action="admin_create" OR action="inventory_modify") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2025-13179

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

EPSS Score: 0.05% exploit probability (16.5th percentile)

Published: November 14, 2025

Last Updated: November 24, 2025

🔗 References

https://github.com/4m3rr0r/PoCVulDb/issues/3 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.332469 Permissions Required,VDB Entry
https://vuldb.com/?id.332469 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.684823 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13179, you might also want to check these: