{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12373", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T21:06:28.880Z", "datePublished": "2025-12-05T06:07:18.239Z", "dateUpdated": "2026-04-08T16:40:54.972Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:54.972Z"}, "affected": [{"vendor": "torod", "product": "Torod \u2013 The smart shipping and delivery portal for e-shops and retailers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Torod \u2013 The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Torod \u2013 The smart shipping and delivery portal for e-shops and retailers <= 1.9 - Cross-Site Request Forgery To Plugin's Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eedab61-e94b-4793-8bf6-cfadd94a5778?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/torod/tags/1.9/inc/torod_Settings.php#L80"}, {"url": "https://plugins.trac.wordpress.org/changeset/3410767/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-10-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-04T17:32:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T13:05:48.081936Z", "id": "CVE-2025-12373", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T13:06:03.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12373", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T13:05:48.081936Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T13:05:52.315Z"}}], "cna": {"title": "Torod \u2013 The smart shipping and delivery portal for e-shops and retailers <= 1.9 - Cross-Site Request Forgery To Plugin's Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "torod", "product": "Torod \u2013 The smart shipping and delivery portal for e-shops and retailers", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-15T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-04T17:32:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eedab61-e94b-4793-8bf6-cfadd94a5778?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/torod/tags/1.9/inc/torod_Settings.php#L80"}], "descriptions": [{"lang": "en", "value": "The Torod \u2013 The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-05T06:07:18.239Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12373", "state": "PUBLISHED", "dateUpdated": "2025-12-05T13:06:03.714Z", "dateReserved": "2025-10-27T21:06:28.880Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T06:07:18.239Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Torod \u2013 The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12373", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T07:16:10.880", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/torod/tags/1.9/inc/torod_Settings.php#L80"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3410767/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1eedab61-e94b-4793-8bf6-cfadd94a5778?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:43:09.980449+00:00", "value": {"mitigation_remediation": ["Update the Torod plugin to version\u202f1.10 or later, which includes the nonce validation fix.", "If an update is not immediately feasible, block CSRF\u2011vulnerable admin URLs from unauthenticated access by enabling a site\u2011wide CSRF protection plugin or forcing network\u2011admin authentication for plugin settings.", "Perform a security review of all plugin configuration pages to confirm that nonce validation exists and that only authenticated administrators can submit settings changes, replacing any missing checks with a proper nonce field."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the Torod \u2013 The smart shipping and delivery portal for e\u2011shops and retailers plugin, with affected releases up to and including version\u202f1.9. Versions 1.10 and later contain the fix.", "description_and_impact": "The Torod shipping plugin contains a missing or incorrect nonce check in its save_settings routine, which lets an attacker send a forged request that will be processed as if it came from an authenticated administrator. Because the vulnerability does not require any credentials, an unauthenticated attacker can modify the plugin\u2019s configuration by luring the site owner into clicking a crafted link.", "risk_and_exploitability": "The CVSS score of 4.3 places the flaw in the moderate category, while an EPSS score of less than\u202f1\u202f% indicates a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a social\u2011engineering step to get the site administrator to trigger the vulnerable action, so the attack vector is remote but relies on a user interaction."}}}}, "created": "2025-12-05T20:56:24.981559+00:00", "updated": "2026-04-27T22:45:15.491564+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}