{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15635", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T15:47:48.291Z", "datePublished": "2026-04-15T15:49:53.280Z", "dateUpdated": "2026-04-16T14:15:13.253Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T15:49:53.280Z"}, "title": "WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Request Forgery (CSRF) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "affected": [{"vendor": "Zaytech", "product": "Smart Online Order for Clover", "collectionURL": "https://wordpress.org/plugins", "packageName": "clover-online-orders", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "1.6.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.<p>This issue affects Smart Online Order for Clover: from n/a through 1.6.0.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "credits": [{"lang": "en", "value": "Mika | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T14:14:12.803678Z", "id": "CVE-2025-15635", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:15:13.253Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T14:14:12.803678Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:14:52.426Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Request Forgery (CSRF) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Mika | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Zaytech", "product": "Smart Online Order for Clover", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.6.0"}], "packageName": "clover-online-orders", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.<p>This issue affects Smart Online Order for Clover: from n/a through 1.6.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T15:49:53.280Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15635", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:15:13.253Z", "dateReserved": "2026-04-15T15:47:48.291Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-15T15:49:53.280Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0."}], "id": "CVE-2025-15635", "lastModified": "2026-04-15T17:17:00.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-15T17:17:00.277", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Smart Online Order for Clover", "source": "cna", "vendor": "Zaytech"}, "product": "smart_online_order_for_clover", "vendor": "zaytech"}], "analysis": {"en": {"generated_at": "2026-04-15T22:20:34.728166+00:00", "value": {"mitigation_remediation": ["Check the Zaytech website for a vendor-published fix or update to a version newer than 1.6.0 that addresses CSRF.", "If an update is not yet available, restrict access to the plugin\u2019s action endpoints or enforce additional nonce verification for state-changing requests.", "Implement site-wide CSRF protection by adding nonces to all forms or using WordPress REST API authentication mechanisms to ensure requests include a verification token.", "Monitor site logs for unexpected order creation or modification after the patch and review user activity to detect any malicious actions."], "summary": {"action": "Assess Impact", "impact": "Unauthorized Action via CSRF"}, "threat_synthesis": {"affected_systems": "The Smart Online Order for Clover WordPress plugin, made by Zaytech, is vulnerable in all releases from its first version through 1.6.0. Any site running any of those releases faces risk until upgraded to a newer minor release.", "description_and_impact": "The vulnerability is a CSRF flaw that allows an attacker to cause authenticated users of the Smart Online Order for Clover plugin to submit requests without their consent. Because the plugin does not properly verify request authenticity, an attacker can potentially create, modify, or delete orders, or trigger other privileged actions that the plugin exposes. The impact is non-confidentiality and non-availability, focusing on unauthorized action and potential financial loss.", "risk_and_exploitability": "The CVSS score is 4.3, reflecting a moderate risk. No EPSS data is published, and the issue is not yet in the CISA KEV list, which suggests a lower likelihood of widespread exploitation. The likely attack vector involves tricking an authenticated user into visiting a malicious link that submits a request to the plugin, inferred because CSRF requires an authenticated session. If an attacker can gain a social-engineering foothold, they could trigger unwanted actions on the site, potentially creating fraudulent orders or altering order data."}}}}, "created": "2026-04-15T21:00:09.464437+00:00", "updated": "2026-04-15T22:30:16.060748+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "zaytech", "zaytech$PRODUCT$smart_online_order_for_clover"]}