CVE-2025-2907 Scanner

The Order Delivery Date Pro for WooCommerce is a WordPress plugin used primarily by e-commerce businesses to enhance their order management functionality. It allows online stores to offer customers options for selecting delivery dates for their orders, improving customer satisfaction by providing convenient delivery timing. The plugin is widely deployed across various sectors, including retail, food and beverage, and more. It's an essential tool for businesses that rely on timely product deliveries. Moreover, it is applicable across WooCommerce platforms where managing delivery schedules efficiently is a priority. It significantly contributes to a seamless shopping experience, making it popular among online retail businesses.

The Unauthenticated Admin Account Creation vulnerability is a critical security flaw in Order Delivery Date Pro for WooCommerce versions before 12.3.1. This vulnerability arises due to insufficient authorization and CSRF (Cross-Site Request Forgery) checks, allowing attackers to import settings without proper validation. This flaw can be exploited to change the default user role to "administrator," thereby giving unauthorized users the ability to register as administrators. The vulnerability essentially opens a backdoor for complete site takeover by malicious users. Given its severity, this vulnerability requires immediate attention to prevent unauthorized and potentially harmful site access.

The vulnerability is technically characterized by inadequate checks in the import settings functionality of the plugin. Attackers can exploit this by sending specially crafted requests to the affected endpoint, typically within the /wp-admin/admin-ajax.php pathway. These requests, if unchecked, modify essential WordPress site configuration options, specifically the 'default_user_role', which can be set to 'administrator'. Moreover, the 'users_can_register' option can be toggled, enabling attackers to register as new users with administrative privileges. The vulnerability is a result of the lack of stringent security checks on the server-side script handling the import file.

When exploited, this vulnerability potentially allows complete administrative control over an affected WordPress site. Malicious entities could add, modify, or delete content, install plugins and themes, and potentially inject malware to further compromise site security. Such exploitation can lead to substantial data breaches, unauthorized access to sensitive customer information, and a significant threat to business operations. The website's integrity is compromised, and recovering from such breaches can be resource-intensive both in terms of time and cost.

REFERENCES

• https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/
• https://nvd.nist.gov/vuln/detail/CVE-2025-2907