Description
The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of plugin configuration via CSRF
Action: Patch
AI Analysis

Impact

The Kirim.Email WooCommerce Integration plugin suffers from a missing nonce check on its settings page, enabling Cross‑Site Request Forgery. An attacker can submit a crafted request to the settings endpoint, allowing the unauthorized alteration of the plugin's API credentials and integration settings. This could compromise downstream email service access or redirect communications, as the injected changes occur without the site administrator’s explicit confirmation.

Affected Systems

The vulnerability exists in all releases of the Kirim.Email WooCommerce Integration WordPress plugin up to and including version 1.2.9. Versions newer than 1.2.9 have added nonce validation to the settings page.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1% suggests that active exploitation is presently unlikely. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require an administrator to be tricked into submitting a forged request, as the description states that an unauthenticated attacker can compel a site administrator to click a link, but no active exploit is reported at this time.

Generated by OpenCVE AI on April 22, 2026 at 00:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kirim.Email WooCommerce Integration plugin to any version newer than 1.2.9 that includes proper nonce validation on the settings page.
  • If an upgrade cannot be performed immediately, implement a CSRF check on the plugin’s settings form, such as adding a nonce field and validating it on submission.
  • Restrict access to the WordPress administration area to trusted IP addresses or enable multi‑factor authentication to reduce the chance that an administrator will unknowingly submit a forged request.
  • Review and, if necessary, reset the plugin’s API credentials that may have been compromised to ensure they are secure.

Generated by OpenCVE AI on April 22, 2026 at 00:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Developerke
Developerke kirim.email Woocommerce Integration
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Developerke
Developerke kirim.email Woocommerce Integration
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Developerke Kirim.email Woocommerce Integration
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:23.020Z

Reserved: 2025-12-05T21:16:58.731Z

Link: CVE-2025-14165

cve-icon Vulnrichment

Updated: 2025-12-12T21:03:06.305Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:49.090

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses