CVE-2025-13987 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Purchase and Expense Manager plugin for WordPress, affecting all versions up to 1.1.2. The vulnerability stems from the absence of nonce validation in the 'sup_pt_handle_deletion' function, which is responsible for handling deletion requests of purchase records. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from external malicious sources. Without this validation, an attacker can craft a malicious URL or form that, when visited or submitted by an authenticated site administrator, triggers the deletion of arbitrary purchase records without their explicit consent. The attack vector requires no authentication from the attacker but does require user interaction, specifically the administrator clicking a malicious link or visiting a crafted page. The vulnerability impacts the integrity of financial data by allowing unauthorized deletion of purchase records but does not compromise confidentiality or availability. The CVSS 3.1 base score is 4.3 (medium), reflecting the ease of exploitation (low complexity, no privileges required) balanced against the limited impact (integrity loss only, no confidentiality or availability impact). No patches or fixes have been published at the time of disclosure, and no known exploits are reported in the wild. The vulnerability is cataloged under CWE-352, which covers CSRF issues. Organizations using this plugin should be aware of the risk, especially in environments where administrators might be targeted with phishing or social engineering attacks to induce them to perform unintended actions.

For European organizations, the primary impact of this vulnerability is the potential unauthorized deletion of purchase records, which can lead to data integrity issues in financial management systems. This could disrupt accounting processes, cause discrepancies in financial reporting, and potentially lead to compliance violations under regulations such as GDPR if financial data accuracy is compromised. While the vulnerability does not expose sensitive data directly, the loss or manipulation of purchase records can undermine trust in financial systems and complicate audits. Organizations relying on the Purchase and Expense Manager plugin for critical financial operations are at risk of operational disruption. The requirement for administrator interaction means that targeted phishing or social engineering campaigns could be an effective exploitation vector. This risk is heightened in organizations with less mature cybersecurity awareness or where administrators have broad privileges. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize disclosed vulnerabilities over time. The impact on availability and confidentiality is minimal, but the integrity impact can have downstream effects on business operations and regulatory compliance.

To mitigate this vulnerability, organizations should first verify if they are using the Purchase and Expense Manager plugin and identify the version in use. Since no official patch is available yet, immediate mitigation includes implementing manual nonce validation in the 'sup_pt_handle_deletion' function or disabling the deletion functionality until a patch is released. Administrators should be trained to recognize phishing attempts and avoid clicking on suspicious links, especially those received via email or untrusted sources. Web application firewalls (WAFs) can be configured to detect and block suspicious CSRF attempts targeting the deletion endpoint. Restricting administrative access to trusted networks or VPNs can reduce exposure. Monitoring logs for unusual deletion activity can help detect exploitation attempts early. Once a patch is released by the vendor, organizations should prioritize prompt application. Additionally, regular backups of purchase records should be maintained to enable recovery in case of unauthorized deletions. Implementing the principle of least privilege for WordPress administrator accounts can limit the potential damage from compromised credentials or CSRF attacks.