Description
Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege Escalation.This issue affects A1POST.BG Shipping for Woo: from n/a through <= 1.5.
Published: 2025-02-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A1POST.BG Shipping for Woo exposes a CSRF weakness that permits an attacker to coerce a logged‑in administrator to perform privileged actions. The flaw enables an unauthorized user to manipulate the shipping plugin’s request flow, resulting in escalation of privileges on the WordPress site.

Affected Systems

The plugin ‘A1POST.BG Shipping for Woo’ is affected in all releases up to, and including, version 1.5. Users running any of these versions on a WordPress site are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation, yet the plugin’s core functionality means an attack could impact site security. Because the vulnerability is CSRF‑based, the attacker needs the victim to be authenticated as an administrator; they then send a forged request that exploits the plugin’s lack of CSRF protection. The flaw is not currently listed in CISA’s KEV catalog.

Generated by OpenCVE AI on May 1, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of A1POST.BG Shipping for Woo that contains a CSRF fix
  • If an update is unavailable or impractical, remove or disable the plugin until a patch is released
  • Configure the plugin or your WordPress installation to verify nonces on all state‑changing requests to ensure CSRF protection

Generated by OpenCVE AI on May 1, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4425 Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo allows Privilege Escalation. This issue affects A1POST.BG Shipping for Woo: from n/a through 1.5.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo allows Privilege Escalation. This issue affects A1POST.BG Shipping for Woo: from n/a through 1.5.1. Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege Escalation.This issue affects A1POST.BG Shipping for Woo: from n/a through <= 1.5.
Title WordPress A1POST.BG Shipping for Woo plugin <= 1.5.1 - CSRF to Privilege Escalation vulnerability WordPress A1POST.BG Shipping for Woo plugin <= 1.5 - CSRF to Privilege Escalation vulnerability
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 24 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo allows Privilege Escalation. This issue affects A1POST.BG Shipping for Woo: from n/a through 1.5.1.
Title WordPress A1POST.BG Shipping for Woo plugin <= 1.5.1 - CSRF to Privilege Escalation vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.709Z

Reserved: 2025-02-17T11:52:15.090Z

Link: CVE-2025-27012

cve-icon Vulnrichment

Updated: 2025-02-24T14:29:25.361Z

cve-icon NVD

Status : Deferred

Published: 2025-02-22T16:15:32.497

Modified: 2026-06-17T09:02:45.533

Link: CVE-2025-27012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:00:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)