CVE-2025-2907

Name of the Vulnerable Software and Affected Versions Order Delivery Date WordPress plugin versions prior to 12.3.1

Description The issue concerns a lack of authorization and CSRF checks when importing settings in the Order Delivery Date WordPress plugin. This allows attackers to modify sensitive options, such as default user role to administrator and users can register, enabling them to register as an administrator of the site and gain complete control.

Recommendations For versions prior to 12.3.1, update to version 12.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings import functionality until a patch is applied. Additionally, monitor user registrations and role assignments closely to detect any potential malicious activity.