CVE-2025-63024
📋 TL;DR
This vulnerability allows unauthorized users to access functionality intended only for authenticated users in the Order Delivery Date for WooCommerce plugin. It affects all WordPress sites using this plugin up to version 4.3.1, potentially exposing order delivery information and settings.
💻 Affected Systems
- Order Delivery Date for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify order delivery dates, access customer delivery information, or alter plugin settings affecting all orders.
Likely Case
Unauthorized viewing or modification of delivery dates for specific orders, potentially disrupting logistics.
If Mitigated
Minimal impact if proper authorization checks are implemented or plugin is disabled.
🎯 Exploit Status
Requires some WordPress/WooCommerce knowledge but no authentication needed for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: >4.3.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Order Delivery Date for WooCommerce'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate order-delivery-date-for-woocommerce
Restrict Access via .htaccess
linuxBlock access to plugin directories for unauthorized users.
# Add to .htaccess in wp-content/plugins/order-delivery-date-for-woocommerce/
Order deny,allow
Deny from all
Allow from 127.0.0.1
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block unauthorized access to plugin endpoints.
- Monitor access logs for unusual requests to order-delivery-date-for-woocommerce plugin paths.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 4.3.1 or lower, you are vulnerable.Check Version:
wp plugin get order-delivery-date-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is >4.3.1 and test that only authorized users can access delivery date functionality.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST/GET requests to /wp-content/plugins/order-delivery-date-for-woocommerce/
- 403 errors followed by 200 successes from same IP
Network Indicators:
- Unusual traffic patterns to plugin-specific endpoints from unauthenticated sources
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-content/plugins/order-delivery-date-for-woocommerce/" OR plugin="order-delivery-date-for-woocommerce") AND response_code=200 AND user="-"