Description
The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-04-10
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This flaw allows an unauthenticated attacker to supply unchecked data to the do_shortcode function, triggering any shortcode that is available on the site without proper validation.

Affected Systems

WordPress sites that have installed the ORDER POST plugin version 2.0.2 or earlier and have not applied the latest update.

Risk and Exploitability

The CVSS score of 7.3 signals high severity, and the EPSS score of <1% indicates that a measurable portion of the WordPress ecosystem may attempt exploitation. The vulnerability is not listed in CISA KEV. The most probable attack vector is an unauthenticated request that includes a malicious shortcode or exploits the plugin’s shortcode processing route, allowing the attacker to trigger arbitrary shortcodes.

Generated by OpenCVE AI on May 19, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ORDER POST plugin to a version newer than 2.0.2, which removes the unchecked shortcode processing.
  • If a patch is unavailable, uninstall or deactivate the plugin until an update can be applied to prevent any shortcode execution.
  • Implement site‑wide shortcode restrictions or additional input sanitization, such as using a whitelist of permitted shortcodes or configuring the plugin’s settings to restrict shortcode usage to authenticated users only.

Generated by OpenCVE AI on May 19, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10478 The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Thu, 10 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 07:15:00 +0000

Type Values Removed Values Added
Description The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:34.832Z

Reserved: 2025-03-25T21:38:18.262Z

Link: CVE-2025-2805

cve-icon Vulnrichment

Updated: 2025-04-10T14:00:11.167Z

cve-icon NVD

Status : Deferred

Published: 2025-04-10T07:15:41.687

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:15:08Z

Weaknesses