CVE-2025-47661

The vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress plugin 'pgall-for-woocommerce' (워드프레스 결제 심플페이), affecting versions up to and including 5.2.11. The root cause is a missing or insufficient CSRF token validation, which allows an attacker to craft malicious requests that are executed in the context of an authenticated administrator.

Exploitation requires user interaction: a privileged user (such as an admin) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while logged into the WordPress site. No direct authentication is needed for the attacker, but the victim must have an active session with sufficient privileges.

Successful exploitation could allow an attacker to perform unauthorized actions on behalf of the victim, such as modifying plugin settings, changing payment configurations, or initiating transactions. The CVSS score of 5.4 (Medium) reflects the need for user interaction and the potential for limited impact, though the vulnerability could be chained in broader attacks.

The vendor has released version 5.3.3 to address the issue. Users are strongly advised to update immediately. Patchstack recommends enabling auto-updates for vulnerable plugins. No workarounds are mentioned, so updating is the only reliable mitigation [1].