{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2805", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-25T21:38:18.262Z", "datePublished": "2025-04-10T07:02:40.354Z", "dateUpdated": "2026-04-08T17:25:34.832Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:34.832Z"}, "affected": [{"vendor": "vikashsrivastava1111989", "product": "ORDER POST", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "title": "ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35ea739-5ee9-4779-87d5-3f13b11229cf?source=cve"}, {"url": "https://plugins.svn.wordpress.org/order-post/trunk/wp_post_order.php"}, {"url": "https://wordpress.org/plugins/order-post/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "timeline": [{"time": "2025-04-09T18:09:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T13:50:29.391007Z", "id": "CVE-2025-2805", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:00:17.637Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2805", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-10T13:50:29.391007Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T14:00:11.167Z"}}], "cna": {"title": "ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Avraham Shemesh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "vikashsrivastava1111989", "product": "ORDER POST", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-09T18:09:31.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35ea739-5ee9-4779-87d5-3f13b11229cf?source=cve"}, {"url": "https://plugins.svn.wordpress.org/order-post/trunk/wp_post_order.php"}, {"url": "https://wordpress.org/plugins/order-post/#developers"}], "descriptions": [{"lang": "en", "value": "The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-10T07:02:40.354Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2805", "state": "PUBLISHED", "dateUpdated": "2025-04-10T14:00:17.637Z", "dateReserved": "2025-03-25T21:38:18.262Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-10T07:02:40.354Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}, {"lang": "es", "value": " El complemento ORDER POST para WordPress es vulnerable a la ejecuci\u00f3n de c\u00f3digos cortos arbitrarios en todas las versiones hasta la 2.0.2 incluida. Esto se debe a que el software permite a los usuarios ejecutar una acci\u00f3n que no valida correctamente un valor antes de ejecutar do_shortcode. Esto permite que atacantes no autenticados ejecuten c\u00f3digos cortos arbitrarios."}], "id": "CVE-2025-2805", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-10T07:15:41.687", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/order-post/trunk/wp_post_order.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/order-post/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d35ea739-5ee9-4779-87d5-3f13b11229cf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:18:48.894845+00:00", "value": {"mitigation_remediation": ["Update the ORDER POST plugin to a version newer than 2.0.2, which removes the unchecked shortcode handling. ", "If a patch is unavailable or delays exist, uninstall or deactivate the plugin until an update can be applied to prevent any shortcode execution. ", "Implement site\u2011wide shortcode restrictions or additional input sanitization, such as using a whitelist of permitted shortcodes or configuring the plugin\u2019s settings to restrict shortcode usage to authenticated users only."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Shortcode Execution allowing potential remote code execution within WordPress sites"}, "threat_synthesis": {"affected_systems": "WordPress sites using the ORDER POST plugin, specifically all releases up to and including version 2.0.2. Any instance that has not applied the recent update remains vulnerable.", "description_and_impact": "The ORDER POST plugin contains a flaw that lets attackers supply unchecked input to the do_shortcode function. This improper validation permits execution of chosen shortcodes without authentication. The vulnerability is identified as a Code Injection weakness (CWE-94). If attackers supply a malicious shortcode that invokes server\u2011side actions, they can run arbitrary code under the web server\u2019s user privileges, leading to full compromise of the affected WordPress installation.", "risk_and_exploitability": "The CVSS score of 7.3 signals high severity, and the EPSS value of 1% indicates that a measurable portion of the WordPress ecosystem is likely to attempt exploitation. Although the vulnerability is not yet in the CISA KEV catalog, the ability for unauthenticated actors to trigger arbitrary shortcodes is a clear attacker pathway. The most probable attack vector involves an unauthenticated request to a page that includes a shortcode, or exploitation via the plugin\u2019s existing shortcode processing route."}}}}, "created": "2026-04-20T23:30:16.104712+00:00", "updated": "2026-04-20T23:30:16.104724+00:00", "vendors": []}