CVE-2025-58804

Vulnerability

Overview

The WooCommerce Single Page Checkout plugin for WordPress (versions up to and including 1.2.7) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of request origins, allowing an attacker to trick a logged-in administrator or other privileged user into unknowingly performing actions on the attacker's behalf [1].

Exploitation

Method

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially designed form while authenticated to the WordPress admin panel [1]. No additional privileges are needed beyond the victim's existing session. The attack can be initiated remotely without authentication, but the victim must be logged in with sufficient permissions for the forged request to succeed [1].

Impact

Successful exploitation could allow an attacker to force the victim to perform unintended actions under their current authentication, such as changing plugin settings changes, order manipulation, or other administrative operations [1]. The CVSS v3 base score is 4.3 (Medium), reflecting the need for user interaction and the potential for limited impact on confidentiality, integrity, or availability [1].

Mitigation

The vendor has not released a patched version; users are advised to update the plugin immediately if a fix becomes available [1]. As a workaround, consider implementing additional CSRF protections or using a Web Application Firewall (WAF) to filter malicious requests. This vulnerability is noted as being used in mass-exploit campaigns, so prompt action is recommended [1].