Description
Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Payments for WooCommerce conditional-payments-for-woocommerce allows Cross Site Request Forgery.This issue affects Conditional Payments for WooCommerce: from n/a through <= 3.3.0.
Published: 2025-04-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw that allows an attacker to trick an authenticated user into submitting forged requests to the WordPress site. Based on the description, it is inferred that a malicious actor could modify payment conditions, potentially altering checkout flows or misdirecting transactions, thereby compromising the integrity of the site’s payment logic.

Affected Systems

WP Trio Conditional Payments for WooCommerce plugin, version 3.3.0 or earlier, is affected.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity. The extremely low EPSS score (<1%) suggests that automated exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the attack requires an authenticated session and a user to interact with the site, the attack vector is likely through the standard web interface. An attacker could craft a malicious link or embed a forged form that the victim inadvertently submits while logged into the site, triggering unintended changes to payment settings.

Generated by OpenCVE AI on May 1, 2026 at 10:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the Conditional Payments for WooCommerce plugin (any release newer than 3.3.0).
  • If an immediate update is not possible, enforce strict authentication for any routes that modify payment settings and add CSRF tokens to all state‑changing forms.
  • Consider applying a web application firewall rule to detect and block unexpected POST requests to the plugin’s admin endpoints.

Generated by OpenCVE AI on May 1, 2026 at 10:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11312 Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Payments for WooCommerce allows Cross Site Request Forgery. This issue affects Conditional Payments for WooCommerce: from n/a through 3.3.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Payments for WooCommerce allows Cross Site Request Forgery. This issue affects Conditional Payments for WooCommerce: from n/a through 3.3.0. Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Payments for WooCommerce conditional-payments-for-woocommerce allows Cross Site Request Forgery.This issue affects Conditional Payments for WooCommerce: from n/a through <= 3.3.0.
Title WordPress Conditional Payments for WooCommerce <= 3.3.0 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Conditional Payments for WooCommerce plugin <= 3.3.0 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Payments for WooCommerce allows Cross Site Request Forgery. This issue affects Conditional Payments for WooCommerce: from n/a through 3.3.0.
Title WordPress Conditional Payments for WooCommerce <= 3.3.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:34.865Z

Reserved: 2025-04-16T06:25:01.731Z

Link: CVE-2025-39563

cve-icon Vulnrichment

Updated: 2025-04-16T14:57:49.486Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:48.967

Modified: 2026-04-23T15:29:47.730

Link: CVE-2025-39563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:15:17Z

Weaknesses