CVE-2025-13987 is a medium severity security vulnerability classified as CWE-352 (Cross-Site Request Forgery) found in the Purchase and Expense Manager plugin for WordPress, developed by codnloc. The vulnerability exists in all versions up to and including 1.1.2 due to the absence of nonce validation in the 'sup_pt_handle_deletion' function, which handles deletion of purchase records. Nonce validation is a security mechanism designed to ensure that requests are intentional and originate from legitimate users. Without this protection, an attacker can craft a malicious request that, when executed by an authenticated site administrator (via clicking a link or visiting a crafted webpage), causes the deletion of arbitrary purchase records. This attack vector does not require the attacker to be authenticated but does require user interaction from an administrator. The vulnerability impacts the integrity of purchase data but does not compromise confidentiality or availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that the attack can be performed remotely over the network with low complexity, no privileges required, but requires user interaction, and impacts integrity only. There are no known exploits in the wild at the time of publication, and no official patches or mitigations have been linked yet. The vulnerability was publicly disclosed on December 12, 2025, with the CVE reserved on December 3, 2025.

The primary impact of this vulnerability is the unauthorized deletion of purchase records, which compromises data integrity within the Purchase and Expense Manager plugin. For organizations relying on this plugin to track financial transactions, such data loss can disrupt accounting processes, lead to inaccurate financial reporting, and potentially cause compliance issues. Although confidentiality and availability are not directly affected, the integrity breach can undermine trust in financial data and complicate audits. Attackers do not gain direct access to sensitive data but can cause operational disruption by deleting critical records. Since exploitation requires tricking an administrator into clicking a malicious link, social engineering is a key component of the attack. Organizations with multiple administrators or less security-aware staff are at higher risk. The absence of known exploits reduces immediate risk, but the vulnerability remains exploitable until patched.

To mitigate this vulnerability, organizations should immediately implement nonce validation on the 'sup_pt_handle_deletion' function if they maintain custom or forked versions of the plugin. This involves verifying a unique, single-use token with each deletion request to confirm legitimacy. Until an official patch is released by codnloc, administrators should be trained to recognize and avoid clicking suspicious links or performing deletion actions from untrusted sources. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting the plugin's deletion endpoints can provide additional protection. Regular backups of purchase data should be maintained to enable recovery from unauthorized deletions. Monitoring logs for unusual deletion activity can help detect exploitation attempts early. Finally, organizations should track updates from the vendor and apply official patches promptly once available.