CVE-2025-2907 – This vulnerability in the Order Delivery Date W... (How to Fix)

Q: What is the severity of CVE-2025-2907?

CVE-2025-2907 has a CVSS score of 9.8 (CRITICAL). This vulnerability in the Order Delivery Date WordPress plugin allows unauthenticated attackers to modify critical WordPress settings, including registering themselves as administrators. It affects all WordPress sites running vulnerable versions of this plugin. Attackers can achieve complete site takeover through this flaw.

📋 TL;DR

This vulnerability in the Order Delivery Date WordPress plugin allows unauthenticated attackers to modify critical WordPress settings, including registering themselves as administrators. It affects all WordPress sites running vulnerable versions of this plugin. Attackers can achieve complete site takeover through this flaw.

💻 Affected Systems

Products:

Order Delivery Date for WooCommerce WordPress plugin

Versions: All versions before 12.3.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and the vulnerable plugin installed. No special configuration needed.

📦 What is this software?

Order Delivery Date Pro For Woocommerce by Tychesoftwares

View all CVEs affecting Order Delivery Date Pro For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise with administrative access, data theft, defacement, malware injection, and potential lateral movement to other systems.

🟠

Likely Case

Attacker gains administrative access, installs backdoors, steals sensitive data, and uses the compromised site for further attacks.

🟢

If Mitigated

Attack prevented through proper patching or workarounds, with no impact to site integrity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and minimal technical skill due to missing authorization/CSRF checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.3.1

Vendor Advisory: https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Order Delivery Date for WooCommerce'. 4. Click 'Update Now' if available, or download version 12.3.1+ from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Order Delivery Date plugin until patched

wp plugin deactivate order-delivery-date

Restrict plugin access

all

Use web application firewall to block requests to plugin import functionality

🧯 If You Can't Patch

Disable the Order Delivery Date plugin immediately
Implement strict network segmentation and monitor for unauthorized admin user creation

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 12.3.1, you are vulnerable.

Check Version:

wp plugin get order-delivery-date --field=version

Verify Fix Applied:

Confirm plugin version is 12.3.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to plugin import endpoints
Sudden creation of new administrator accounts
Changes to default_user_role or users_can_register settings

Network Indicators:

HTTP requests to /wp-admin/admin-ajax.php with action=orddd_import_settings
Unusual traffic patterns to plugin-specific endpoints

SIEM Query:

source="wordpress.log" AND ("orddd_import_settings" OR "default_user_role" OR "users_can_register")

📊 Metadata

CVE ID: CVE-2025-2907

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 7.6% exploit probability (91.7th percentile)

Published: April 26, 2025

Last Updated: May 14, 2025

🔗 References

https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2907, you might also want to check these: