CVE-2025-58799

Vulnerability

Overview

The Custom WooCommerce Checkout Fields Editor plugin for WordPress (versions up to and including 1.3.4) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw stems from insufficient validation of request origins when processing state-changing actions, allowing an attacker to craft malicious requests that appear legitimate to the application.

Exploitation

Exploitation requires user interaction—a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially designed form while authenticated to the WordPress site [1]. No additional privileges are needed beyond the victim's existing session; the attacker can be initiated by any unauthenticated attacker.

Impact

Successful exploitation could allow an attacker to force the victim to perform unintended actions under their current authentication, such as modifying checkout field configurations or other plugin settings [1]. This could lead to unauthorized changes that affect the WooCommerce checkout process.

Mitigation

The vulnerability affects all versions up to 1.3.4. Users are strongly advised to update the plugin to the latest available version as soon as possible [1]. If immediate updating is not feasible, consulting with a hosting provider or web developer for alternative mitigation measures is recommended.