CVE-2025-2805
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The ORDER POST WordPress plugin ≤2.0.2 allows unauthenticated arbitrary shortcode execution via an action that fails to validate input before calling do_shortcode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The ORDER POST WordPress plugin ≤2.0.2 allows unauthenticated arbitrary shortcode execution via an action that fails to validate input before calling do_shortcode.
Vulnerability
Overview
The ORDER POST plugin for WordPress, versions up to and including 2.0.2, contains a vulnerability that permits arbitrary shortcode execution. The issue resides in the plugin's core file wp_post_order.php, where user-supplied input is passed directly to the do_shortcode() function without proper validation or sanitization [1]. This allows an attacker to inject and execute any WordPress shortcode of their choosing.
Exploitation
Conditions
Exploitation does not require authentication; any unauthenticated visitor can trigger the vulnerable action by sending a crafted request. The plugin's code shows that the shortcode parameter is taken from user input and processed immediately, making the attack surface broad and easily accessible [1]. No special privileges or network position are needed beyond the ability to reach the WordPress site.
Impact
Successful exploitation enables an attacker to execute arbitrary shortcodes. Depending on the shortcodes available on the site, this could lead to reading sensitive data, modifying content, or executing PHP code if a shortcode like [php] is enabled. In many configurations, this can escalate to full site compromise, including database access and privilege escalation.
Mitigation
Status
The plugin has been closed on the WordPress Plugin Directory as of April 9, 2025, due to this security issue [2]. No patched version exists. Users are strongly advised to remove the plugin immediately and replace it with an alternative solution.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.0.2
Patches
0order-postThis plugin has been removed from the WordPress.org directory on 2025-04-09 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.