CVE-2025-60139

Vulnerability

Overview

The Sendle Shipping plugin for WordPress (official-sendle-shipping-method) versions up to and including 6.02 are vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows an attacker to trick a higher-privileged user, such as an administrator, into performing unintended actions while authenticated [1]. The root cause is the lack of proper CSRF token validation on sensitive operations within the plugin.

Exploitation

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially crafted form [1]. No authentication is needed for the attacker, but the victim must be logged into the WordPress admin panel. The attack can be initiated by any unauthenticated user, making it a low-complexity vector that can be chained with other vulnerabilities in mass-exploit campaigns [1].

Impact

Successful CSRF exploitation could allow an attacker to force the victim to change plugin settings, modify shipping configurations, or perform other administrative actions under the victim's session [1]. While the CVSS score is 4.3 (Medium), the impact is limited to actions the victim can perform, and the vulnerability is considered low severity by the vendor [1].

Mitigation

The vulnerability is patched in version 6.03 of the Sendle Shipping plugin. Users are strongly advised to update immediately [1]. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].