CVE-2025-6053
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-07-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bogdan_silivestru | zuppler_online_ordering | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the Zuppler Online Ordering WordPress plugin up to version 2.1.0. It occurs because the plugin lacks proper nonce validation on the 'zuppler-online-ordering-options' page. This allows an attacker to trick a site administrator into performing unintended actions, such as updating plugin settings or injecting malicious scripts, by sending a forged request.
How can this vulnerability impact me? :
The vulnerability can allow an unauthenticated attacker to change plugin settings or inject malicious web scripts if they can trick a site administrator into clicking a malicious link. This can lead to compromised site integrity, potential data manipulation, or the execution of malicious code within the affected WordPress site.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include uninstalling or disabling the Zuppler Online Ordering plugin if it is installed, as the plugin has been removed from official download sources pending a security review. Additionally, ensure that site administrators are cautious about clicking on suspicious links that could trigger forged requests. Monitoring for plugin updates or security patches before reinstallation is also recommended. [1]