Description
Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0.
Published: 2026-04-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Action via CSRF
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a CSRF flaw that allows an attacker to cause authenticated users of the Smart Online Order for Clover plugin to submit requests without their consent. Because the plugin does not properly verify request authenticity, an attacker can potentially create, modify, or delete orders, or trigger other privileged actions that the plugin exposes. The impact is non-confidentiality and non-availability, focusing on unauthorized action and potential financial loss.

Affected Systems

The Smart Online Order for Clover WordPress plugin, made by Zaytech, is vulnerable in all releases from its first version through 1.6.0. Any site running any of those releases faces risk until upgraded to a newer minor release.

Risk and Exploitability

The CVSS score is 4.3, reflecting a moderate risk. No EPSS data is published, and the issue is not yet in the CISA KEV list, which suggests a lower likelihood of widespread exploitation. The likely attack vector involves tricking an authenticated user into visiting a malicious link that submits a request to the plugin, inferred because CSRF requires an authenticated session. If an attacker can gain a social-engineering foothold, they could trigger unwanted actions on the site, potentially creating fraudulent orders or altering order data.

Generated by OpenCVE AI on April 15, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Zaytech website for a vendor-published fix or update to a version newer than 1.6.0 that addresses CSRF.
  • If an update is not yet available, restrict access to the plugin’s action endpoints or enforce additional nonce verification for state-changing requests.
  • Implement site-wide CSRF protection by adding nonces to all forms or using WordPress REST API authentication mechanisms to ensure requests include a verification token.
  • Monitor site logs for unexpected order creation or modification after the patch and review user activity to detect any malicious actions.

Generated by OpenCVE AI on April 15, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zaytech
Zaytech smart Online Order For Clover
Vendors & Products Wordpress
Wordpress wordpress
Zaytech
Zaytech smart Online Order For Clover

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0.
Title WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Zaytech Smart Online Order For Clover
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-16T14:15:13.253Z

Reserved: 2026-04-15T15:47:48.291Z

Link: CVE-2025-15635

cve-icon Vulnrichment

Updated: 2026-04-16T14:14:52.426Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:00.277

Modified: 2026-04-15T17:17:00.277

Link: CVE-2025-15635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses