Description
The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2025-11-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that allows an attacker to alter the plugin’s settings without authentication
Action: Immediate Patch
AI Analysis

Impact

The USB Qr Code Scanner For Woocommerce plugin contains missing nonce validation on its settings page. An unauthenticated attacker can craft a forged request that a logged‑in administrator may inadvertently submit, resulting in the plugin’s configuration being changed. This modification can expose the site to policy violations, data leakage, or other unintended behaviors, although it does not directly compromise the core WordPress installation.

Affected Systems

Products affected are the USB Qr Code Scanner For Woocommerce plugin created by behzadrohizadeh. All released versions up to and including 1.0.0 are vulnerable; administrators using any of these releases must take action.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV, but the attack vector relies on an advertised link or form that tricks an administrator into initiating a request. Because the CSRF flaw allows alteration of secure settings, a successful attack can impact the confidentiality and integrity of the site’s configuration. Traditional defensive measures such as proper nonce checks are necessary to mitigate this risk.

Generated by OpenCVE AI on April 21, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the USB Qr Code Scanner For Woocommerce plugin to a fixed release or obtain a patch from the author that reintroduces nonce validation on the settings page.
  • If an update is not yet available, disable the plugin or remove its settings page from the admin interface to prevent accidental submission of forged requests.
  • Implement additional CSRF protection for WordPress or use a Web Application Firewall rule that blocks unauthorized POST requests to the plugin’s settings endpoint.

Generated by OpenCVE AI on April 21, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Behzadrohizadeh
Behzadrohizadeh usb Qr Code Scanner For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Behzadrohizadeh
Behzadrohizadeh usb Qr Code Scanner For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title USB Qr Code Scanner For Woocommerce <= 1.0.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Behzadrohizadeh Usb Qr Code Scanner For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:35.248Z

Reserved: 2025-10-31T22:32:12.385Z

Link: CVE-2025-12588

cve-icon Vulnrichment

Updated: 2025-11-12T15:36:44.124Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:47.057

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses