CVE-2025-39600 describes a Cross-Site Request Forgery vulnerability in CRM Perks Integration for WooCommerce and QuickBooks plugin versions up to 1.3.1. The flaw allows an attacker to trick a logged‑in WordPress user into sending forged requests that perform privileged actions through the plugin, potentially leading to unauthorized data changes in the WooCommerce store or QuickBooks integration. This issue is rooted in missing proper CSRF protection, as identified by CWE-352, and can be leveraged to carry out unauthorized operations on behalf of the authenticated user.

Affected systems include WordPress sites running the CRM Perks Integration for WooCommerce and QuickBooks plugin at any version ≤ 1.3.1. No other vendors or product lineages are listed in the CVE data, and the vulnerability is triggered via the web front‑end when the plugin processes incoming requests without sufficient nonce validation.

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of < 1 % suggests a very low likelihood of exploitation in the wild; the vulnerability is not listed in the CISA KEV catalog. Based on typical CSRF mechanics, the attack vector is inferred to be remote and relies on a victim’s authenticated browser session to submit malicious requests. Attackers would need to lure or trick users into visiting crafted URLs or loading malicious content that emits requests to the plugin’s endpoints, exploiting the missing CSRF checks.