CVE-2025-27012
Published: 22 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-27012 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, present in the WordPress plugin A1POST.BG Shipping for Woo (a1post-bg-shipping-for-woocommerce). This flaw allows privilege escalation and affects all versions of the plugin from n/a through 1.5 inclusive. Published on 2025-02-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity (AC:L), but requires user interaction (UI:R), such as tricking an authenticated user into submitting a malicious request via a crafted webpage or link. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the affected WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/a1post-bg-shipping-for-woocommerce/vulnerability/wordpress-a1post-bg-shipping-for-woo-plugin-1-5-1-csrf-to-privilege-escalation-vulnerability?_s_id=cve details the issue and indicates that version 1.5.1 of the plugin addresses the vulnerability. Practitioners should prioritize updating to 1.5.1 or later and verify CSRF token implementations in custom integrations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly enables exploitation of the application for initial access (T1190) and facilitates privilege escalation (T1068) via crafted requests tricking authenticated users.