CVE-2025-15635
Cross-Site Request Forgery in Zaytech Smart Online Order
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zaytech | smart_online_order_for_clover | From 1.0.0 (inc) to 1.6.0 (inc) |
| zaytech | smart_online_order_for_clover | to 1.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this Cross-Site Request Forgery (CSRF) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-15635 is a Cross Site Request Forgery (CSRF) vulnerability affecting the WordPress Smart Online Order for Clover Plugin versions up to and including 1.6.0.
This vulnerability allows an attacker to trick higher privileged users into executing unwanted actions while authenticated, by having them perform actions such as clicking a malicious link, visiting a crafted page, or submitting a form.
The vulnerability requires no authentication to initiate but successful exploitation depends on user interaction by a privileged user.
It is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 4.3, indicating low severity and low priority.
How can this vulnerability impact me? :
This vulnerability could allow attackers to cause privileged users to perform unintended actions on the affected system without their consent.
Although the severity is considered low, it could be exploited in mass campaigns targeting many websites regardless of their traffic or popularity.
The impact is limited since exploitation requires user interaction and the vulnerability does not lead to direct data disclosure or system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Smart Online Order for Clover plugin to a version beyond 1.6.0 if available.
If updating is not possible, seek assistance from your hosting provider or web developers to implement protective measures.
Since there is no official patch available as of the latest update, these steps are recommended to reduce the risk of exploitation.