CVE-2025-15635

Vulnerability

Overview

The Smart Online Order for Clover plugin for WordPress, developed by ZAYTECH, contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and through version 1.6.0. This flaw arises from insufficient validation of request origins, allowing an attacker to craft malicious requests that are executed under the identity of an authenticated user [1].

Exploitation

Method

Exploitation requires user interaction: a higher-privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated to the WordPress admin area. The attacker does not need direct access to the site but can leverage social engineering to deliver the payload [1].

Impact

Successful CSRF attacks can force the victim to perform unintended actions under their current authentication, such as changing plugin settings, creating new admin accounts, or modifying orders. This could lead to partial loss of integrity and availability, though the CVSS score of 4.3 (Medium) reflects the requirement for user interaction and the limited scope of direct impact [1].

Mitigation

Users are strongly advised to update the plugin to a patched version immediately. If an update is not available, temporary workarounds include implementing additional security measures such as implementing CSRF tokens or using a web application firewall may help, but updating is the recommended course of action [1].