CVE-2025-13987 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the codnloc Purchase and Expense Manager plugin for WordPress, present in all versions up to and including 1.1.2. The vulnerability stems from the absence of nonce validation in the 'sup_pt_handle_deletion' function, which is responsible for handling deletion requests of purchase records. Nonce validation is a security mechanism used to ensure that requests are legitimate and initiated by authenticated users, preventing unauthorized actions. Without this protection, an attacker can craft a malicious link or webpage that, when visited or clicked by a logged-in site administrator, triggers the deletion of arbitrary purchase records without their explicit consent. The attack does not require the attacker to be authenticated but does require the victim administrator to interact with the malicious content (user interaction). The CVSS 3.1 base score of 4.3 reflects a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This vulnerability primarily threatens data integrity by enabling unauthorized deletion of financial data, which could disrupt business operations or financial reporting. No patches or exploits are currently publicly available, but the vulnerability is published and recognized by Wordfence and the CVE database. Organizations using this plugin should be vigilant and prepare to apply fixes once released. The vulnerability highlights the importance of nonce validation in WordPress plugin development to prevent CSRF attacks.

For European organizations, especially small and medium enterprises (SMEs) relying on WordPress with the Purchase and Expense Manager plugin, this vulnerability poses a risk to the integrity of financial data. Unauthorized deletion of purchase records can lead to inaccurate financial reporting, loss of transaction history, and potential compliance issues with financial regulations such as GDPR, which mandates data accuracy and integrity. While the vulnerability does not directly compromise confidentiality or availability, the manipulation of financial records can undermine trust and operational continuity. Attackers exploiting this vulnerability could cause administrative overhead to restore lost data and investigate incidents. The requirement for user interaction means phishing or social engineering campaigns targeting administrators are likely vectors, increasing the risk in organizations with less mature security awareness. Given the widespread use of WordPress in Europe and the critical nature of financial data, this vulnerability could have moderate operational and reputational impacts if exploited.

1. Monitor for and apply official patches or updates from codnloc as soon as they are released to address the nonce validation issue. 2. Until patches are available, implement manual nonce validation in the plugin code if feasible, or disable the plugin temporarily if it is not critical. 3. Educate WordPress site administrators about the risks of clicking on unsolicited links or opening suspicious emails to reduce the risk of social engineering attacks. 4. Employ web application firewalls (WAFs) with rules to detect and block suspicious CSRF attempts targeting the deletion functionality. 5. Regularly back up purchase and expense data to enable recovery in case of unauthorized deletions. 6. Restrict administrative access to trusted networks or VPNs to reduce exposure. 7. Conduct security audits of WordPress plugins and remove or replace plugins that are no longer maintained or have known vulnerabilities. 8. Implement multi-factor authentication (MFA) for administrator accounts to reduce the risk of account compromise, complementing CSRF protections.