CVE-2025-13987
CSRF Vulnerability in WordPress Purchase and Expense Manager Plugin
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | purchase_and_expense_manager | 1.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is a Cross-Site Request Forgery (CSRF) in the Purchase and Expense Manager plugin for WordPress, affecting all versions up to and including 1.1.2. It occurs because the 'sup_pt_handle_deletion' function lacks nonce validation, allowing unauthenticated attackers to delete arbitrary purchase records if they can trick a site administrator into performing an action like clicking a malicious link.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Purchase and Expense Manager WordPress plugin version 1.1.2 or earlier is installed and active on your WordPress site. Since the vulnerability involves a missing nonce validation on the 'sup_pt_handle_deletion' function allowing CSRF attacks, you can monitor for suspicious HTTP requests that include actions to delete purchase records without proper nonce tokens. To detect exploitation attempts, you can look for HTTP requests to the admin interface that trigger deletion actions without valid nonce parameters. For example, monitoring web server logs for POST or GET requests targeting the plugin's deletion endpoints without nonce parameters could indicate attempts to exploit the vulnerability. Specific commands depend on your environment, but here are some example commands for Linux systems: 1. To check plugin version via WP-CLI: `wp plugin get purchase-and-expense-manager --field=version` 2. To search web server logs for suspicious requests (adjust path and patterns accordingly): `grep -i 'sup_pt_handle_deletion' /var/log/apache2/access.log` or `grep -i 'purchase-and-expense-manager' /var/log/nginx/access.log` 3. To monitor HTTP requests missing nonce parameters: `grep -E 'sup_pt_handle_deletion.*(?!_wpnonce)' /var/log/apache2/access.log` (Note: This is a simplified example; actual detection may require more tailored log analysis or IDS rules.) Additionally, you can use WordPress security plugins or web application firewalls that detect CSRF attempts or unusual admin actions. Since the vulnerability is related to CSRF, ensuring that admin users do not click on suspicious links and that the plugin is updated to a patched version is critical. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to delete purchase records without authorization by tricking an administrator into clicking a malicious link. This could lead to loss of important financial data and potential disruption of business operations.
What immediate steps should I take to mitigate this vulnerability?
Update the Purchase and Expense Manager plugin for WordPress to a version later than 1.1.2 where the nonce validation issue in the 'sup_pt_handle_deletion' function is fixed. Until then, restrict administrative access and avoid clicking on suspicious links that could trigger unauthorized deletion actions.