Description
Cross-Site Request Forgery (CSRF) vulnerability in CleverReach® Official CleverReach Plugin for WooCommerce cleverreach-wc allows Cross Site Request Forgery.This issue affects Official CleverReach Plugin for WooCommerce: from n/a through <= 3.4.6.
Published: 2025-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CVE describes a cross‑site request forgery flaw in the CleverReach Official CleverReach Plugin for WooCommerce. The flaw allows an attacker to send a forged HTTP request that targets the plugin’s settings endpoint without the user’s explicit consent. The CVE description notes that the flaw can change settings, suggesting that an attacker could alter the plugin configuration if they can trick an authenticated user into submitting a request. This outcome is inferred from the wording rather than directly asserted.

Affected Systems

All installations of CleverReach’s Official CleverReach Plugin for WooCommerce from the initial release up to and including 3.4.6 are affected. The plugin is widely deployed on WordPress sites running WooCommerce, so any site using a vulnerable version is included in the scope.

Risk and Exploitability

The CVSS score of 6.5 rates the vulnerability as medium severity. The EPSS score is below 1 %, indicating that exploitation is unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is CSRF, which would need an attacker to persuade an authenticated user to visit a crafted link or form. This inference is drawn from the description, which states that the flaw permits changes to settings through a forged request.

Generated by OpenCVE AI on May 2, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to 3.4.7 or later, as this version removes the CSRF vulnerability.
  • If an immediate update is not possible, verify that all settings pages validate a WordPress nonce or CSRF token; if not, patch the plugin or request a fix from the vendor.
  • Apply a web application firewall or other security measure that detects and blocks CSRF attempts, such as rejecting requests missing a valid Referer header or token.

Generated by OpenCVE AI on May 2, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9810 Cross-Site Request Forgery (CSRF) vulnerability in CleverReach® Official CleverReach Plugin for WooCommerce allows Cross Site Request Forgery. This issue affects Official CleverReach Plugin for WooCommerce: from n/a through 3.4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CleverReach® Official CleverReach Plugin for WooCommerce allows Cross Site Request Forgery. This issue affects Official CleverReach Plugin for WooCommerce: from n/a through 3.4.3. Cross-Site Request Forgery (CSRF) vulnerability in CleverReach® Official CleverReach Plugin for WooCommerce cleverreach-wc allows Cross Site Request Forgery.This issue affects Official CleverReach Plugin for WooCommerce: from n/a through <= 3.4.6.
Title WordPress Official CleverReach WooCommerce Integration Plugin <= 3.4.3 - CSRF to Settings Change vulnerability WordPress Official CleverReach WooCommerce Integration plugin <= 3.4.6 - CSRF to Settings Change vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Fri, 04 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CleverReach® Official CleverReach Plugin for WooCommerce allows Cross Site Request Forgery. This issue affects Official CleverReach Plugin for WooCommerce: from n/a through 3.4.3.
Title WordPress Official CleverReach WooCommerce Integration Plugin <= 3.4.3 - CSRF to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:19.516Z

Reserved: 2025-04-04T10:01:59.469Z

Link: CVE-2025-32241

cve-icon Vulnrichment

Updated: 2025-04-04T19:38:24.888Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:33.530

Modified: 2026-04-23T15:28:49.153

Link: CVE-2025-32241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses