CVE-2025-12373
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | torod | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Torod WordPress plugin for smart shipping and delivery. It occurs because the plugin's save_settings function lacks proper nonce validation, allowing an attacker to trick a site administrator into performing unintended actions, such as changing plugin settings, by sending a forged request.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to modify the plugin's settings without authentication by tricking an administrator into clicking a malicious link. This could lead to unauthorized changes in the shipping and delivery configurations of the e-shop or retailer's website, potentially disrupting operations or causing incorrect shipping behavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this Cross-Site Request Forgery (CSRF) vulnerability involves monitoring for unauthorized or unexpected changes to the Torod plugin settings, especially via forged requests targeting the save_settings function. Since the vulnerability exploits missing or incorrect nonce validation, you can look for HTTP POST requests to the WordPress admin settings endpoint related to the Torod plugin that lack valid nonce tokens or originate from unusual sources. Specific commands could include using web server logs or network monitoring tools to filter POST requests to the plugin's settings URL and inspecting headers or parameters for nonce presence. For example, using grep on web server logs: `grep 'POST.*torod_Settings.php' /var/log/apache2/access.log` and then checking for nonce parameters. However, no explicit commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the plugin's settings page to only trusted administrators, ensuring that user permissions are properly enforced (which the plugin already does via `current_user_can('manage_options')`). Additionally, administrators should avoid clicking on suspicious links or performing actions from untrusted sources that could trigger forged requests. Updating the plugin to a version that includes proper nonce validation on the save_settings function is recommended once available. Until then, monitoring and limiting administrative actions and access can reduce risk. [1]