CVE-2025-2929
📋 TL;DR
The Order Delivery Date WordPress plugin before version 12.4.0 contains a reflected cross-site scripting (XSS) vulnerability where unsanitized user input is reflected back in page output. This allows attackers to inject malicious scripts that execute in the browser of high-privilege users like administrators. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Order Delivery Date for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as the administrator (including plugin/theme installation, content modification, or user creation), or redirect users to malicious sites.
Likely Case
Attackers would typically use this to steal session cookies or credentials from administrators who click on crafted malicious links, potentially leading to site compromise.
If Mitigated
With proper web application firewalls and security headers, the attack would be blocked or mitigated, preventing successful exploitation.
🎯 Exploit Status
The vulnerability requires user interaction (admin clicking a malicious link) but is trivial to exploit once the link is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.4.0
Vendor Advisory: https://wpscan.com/vulnerability/e9299d8f-900b-4487-b135-b82946825e61/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Order Delivery Date for WooCommerce'. 4. Click 'Update Now' if available, or download version 12.4.0+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious payloads.
Content Security Policy (CSP)
allImplement a strict CSP header to prevent script execution from untrusted sources.
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to .htaccess or web server config
🧯 If You Can't Patch
- Disable the Order Delivery Date plugin temporarily until patched.
- Restrict admin panel access to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 12.4.0, it is vulnerable.Check Version:
wp plugin list --name="Order Delivery Date for WooCommerce" --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 12.4.0 or higher in the WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests with script tags or JavaScript in parameters to plugin endpoints
- Admin user sessions from unexpected IP addresses or locations
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in query parameters to /wp-content/plugins/order-delivery-date/ paths
SIEM Query:
source="web_server" AND (uri="*order-delivery-date*" AND (param="*<script>*" OR param="*javascript:*"))