CVE-2025-47674

Vulnerability

Overview

CVE-2025-47674 is a Cross-Site Request Forgery (CSRF) vulnerability found in the Credova Financial plugin for WordPress (credova-financial) versions up to and including 2.5.0 [1]. The issue stems from insufficient CSRF token validation or missing nonce checks in sensitive state-changing operations, allowing an attacker to trick a logged-in administrator into performing unintended actions.

Exploitation and

Attack Surface

Exploitation requires the targeted user to be logged into their WordPress admin panel and to interact with a malicious link, form submission, or crafted webpage. No special privileges beyond standard user interaction are needed for the attacker to trigger the CSRF request. The vulnerability is classified as medium severity with a CVSS v3 score of 4.3, indicating that while exploitation is possible, it relies on social engineering to coerce a privileged user [1].

Impact

A successful CSRF attack could allow an attacker to force a higher-privileged user (such as an administrator) to execute actions under their current authentication session. This might include changing plugin settings, modifying configurations, or performing other unauthorized operations without the victim's consent, depending on the actions exposed by the plugin [1].

Mitigation

The vendor has addressed the vulnerability in version 2.5.1 of the plugin. Users are strongly advised to update to version 2.5.1 or later to eliminate the CSRF risk. For additional protection, enabling automatic updates for vulnerable plugins via a security solution like Patchstack is recommended [1].