Description
Cross-Site Request Forgery (CSRF) vulnerability in flipdish Flipdish Ordering System flipdish-ordering-system allows Cross Site Request Forgery.This issue affects Flipdish Ordering System: from n/a through <= 1.5.2.
Published: 2025-03-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery (CSRF) is possible in Flipdish Ordering System versions 1.5.2 and earlier. The flaw allows a malicious actor to send a forged request that authenticates as a logged‑in user and alter the plugin’s settings. This can result in unintended configuration changes, potentially exposing the site to further attacks or altering normal operation. The vulnerability reflects the classic CSRF weakness described by CWE‑352 rather than exposing code execution or data exfiltration.

Affected Systems

The issue affects the Flipdish Ordering System plugin for WordPress, specifically all releases up through version 1.5.2. Users of earlier or newer versions are not impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the near term, and the flaw is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated, privileged user—such as an administrator—to be tricked into visiting a crafted link or loading a malicious page. Therefore, while the impact is limited to unauthorized configuration changes, the risk can be mitigated by patching or applying protective measures.

Generated by OpenCVE AI on May 1, 2026 at 13:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flipdish Ordering System to the latest available version to remove the CSRF bug.
  • If an immediate upgrade is not possible, restrict access to the plugin’s settings page to a narrow set of trusted administrators and consider blocking the settings endpoint for unauthenticated requests.
  • After remediation, review the plugin’s configuration to ensure no unintended changes were applied and audit logs for anomalous activity.

Generated by OpenCVE AI on May 1, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7911 Cross-Site Request Forgery (CSRF) vulnerability in flipdish Flipdish Ordering System allows Cross Site Request Forgery. This issue affects Flipdish Ordering System: from n/a through 1.4.16.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in flipdish Flipdish Ordering System allows Cross Site Request Forgery. This issue affects Flipdish Ordering System: from n/a through 1.4.16. Cross-Site Request Forgery (CSRF) vulnerability in flipdish Flipdish Ordering System flipdish-ordering-system allows Cross Site Request Forgery.This issue affects Flipdish Ordering System: from n/a through <= 1.5.2.
Title WordPress Flipdish Ordering System plugin <= 1.4.16 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability WordPress Flipdish Ordering System plugin <= 1.5.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 25 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in flipdish Flipdish Ordering System allows Cross Site Request Forgery. This issue affects Flipdish Ordering System: from n/a through 1.4.16.
Title WordPress Flipdish Ordering System plugin <= 1.4.16 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.104Z

Reserved: 2025-03-24T13:00:39.013Z

Link: CVE-2025-30601

cve-icon Vulnrichment

Updated: 2025-03-25T17:47:28.255Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:32.520

Modified: 2026-04-23T15:26:57.023

Link: CVE-2025-30601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:45:06Z

Weaknesses