CVE-2025-2942: CWE-200 Information Exposure in Order Delivery Date
The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information
AI Analysis
Technical Summary
CVE-2025-2942 is a medium severity information exposure vulnerability affecting the WordPress plugin 'Order Delivery Date' in versions prior to 12.6.0. The vulnerability arises due to an unauthenticated AJAX action that discloses arbitrary post titles, including those from draft and private posts. This means that an attacker without any authentication can send specially crafted requests to the plugin's AJAX endpoint and retrieve sensitive metadata about posts that are not publicly accessible. The exposure is limited to post titles, which may reveal sensitive or confidential information depending on the content of the drafts or private posts. The vulnerability is categorized under CWE-200 (Information Exposure), indicating that the flaw leaks information that should otherwise be protected. The CVSS v3.1 base score is 4.3 (medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges required, some user interaction needed, unchanged scope, and low impact on confidentiality with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. The vulnerability was reserved in March 2025 and published in July 2025. This issue can be exploited remotely without authentication but requires user interaction, likely meaning the victim must trigger the AJAX call or visit a malicious page. The scope is limited to information disclosure of post titles, which could be leveraged for further social engineering or reconnaissance but does not directly allow code execution or data modification.
Potential Impact
For European organizations using WordPress websites with the vulnerable 'Order Delivery Date' plugin, this vulnerability could lead to unintended disclosure of sensitive internal content titles, such as unpublished blog posts, internal announcements, or confidential project information. While the direct impact on confidentiality is low, the leaked information could aid attackers in crafting targeted phishing campaigns or social engineering attacks, increasing the risk of subsequent compromise. Organizations in sectors with strict data privacy regulations, such as finance, healthcare, or government, may face compliance risks if sensitive information is inadvertently exposed. The vulnerability does not affect data integrity or availability, so operational disruption is unlikely. However, reputational damage could occur if confidential editorial or internal content is leaked. Since the vulnerability requires no authentication, any external attacker can attempt exploitation, increasing the attack surface. The need for user interaction limits automated exploitation but does not eliminate risk, especially if attackers can lure users to malicious sites or emails that trigger the AJAX requests. Overall, the impact is moderate but should not be ignored, especially for organizations handling sensitive or regulated information.
Mitigation Recommendations
European organizations should immediately verify if their WordPress installations use the 'Order Delivery Date' plugin and identify the version in use. If running versions prior to 12.6.0, they should prioritize updating the plugin to the latest available version once released by the vendor. In the absence of an official patch, organizations can implement temporary mitigations such as disabling the vulnerable AJAX action by modifying the plugin code or restricting access to the AJAX endpoint via web application firewall (WAF) rules or server-level access controls. Monitoring web server logs for unusual AJAX requests targeting the plugin can help detect exploitation attempts. Additionally, organizations should review and limit the exposure of sensitive content titles in drafts or private posts and consider implementing stricter content access policies. User awareness training to recognize phishing attempts that might exploit this vulnerability is also recommended. Finally, maintaining regular backups and a robust incident response plan will help mitigate potential downstream impacts from exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-2942: CWE-200 Information Exposure in Order Delivery Date
Description
The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information
AI-Powered Analysis
Technical Analysis
CVE-2025-2942 is a medium severity information exposure vulnerability affecting the WordPress plugin 'Order Delivery Date' in versions prior to 12.6.0. The vulnerability arises due to an unauthenticated AJAX action that discloses arbitrary post titles, including those from draft and private posts. This means that an attacker without any authentication can send specially crafted requests to the plugin's AJAX endpoint and retrieve sensitive metadata about posts that are not publicly accessible. The exposure is limited to post titles, which may reveal sensitive or confidential information depending on the content of the drafts or private posts. The vulnerability is categorized under CWE-200 (Information Exposure), indicating that the flaw leaks information that should otherwise be protected. The CVSS v3.1 base score is 4.3 (medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges required, some user interaction needed, unchanged scope, and low impact on confidentiality with no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. The vulnerability was reserved in March 2025 and published in July 2025. This issue can be exploited remotely without authentication but requires user interaction, likely meaning the victim must trigger the AJAX call or visit a malicious page. The scope is limited to information disclosure of post titles, which could be leveraged for further social engineering or reconnaissance but does not directly allow code execution or data modification.
Potential Impact
For European organizations using WordPress websites with the vulnerable 'Order Delivery Date' plugin, this vulnerability could lead to unintended disclosure of sensitive internal content titles, such as unpublished blog posts, internal announcements, or confidential project information. While the direct impact on confidentiality is low, the leaked information could aid attackers in crafting targeted phishing campaigns or social engineering attacks, increasing the risk of subsequent compromise. Organizations in sectors with strict data privacy regulations, such as finance, healthcare, or government, may face compliance risks if sensitive information is inadvertently exposed. The vulnerability does not affect data integrity or availability, so operational disruption is unlikely. However, reputational damage could occur if confidential editorial or internal content is leaked. Since the vulnerability requires no authentication, any external attacker can attempt exploitation, increasing the attack surface. The need for user interaction limits automated exploitation but does not eliminate risk, especially if attackers can lure users to malicious sites or emails that trigger the AJAX requests. Overall, the impact is moderate but should not be ignored, especially for organizations handling sensitive or regulated information.
Mitigation Recommendations
European organizations should immediately verify if their WordPress installations use the 'Order Delivery Date' plugin and identify the version in use. If running versions prior to 12.6.0, they should prioritize updating the plugin to the latest available version once released by the vendor. In the absence of an official patch, organizations can implement temporary mitigations such as disabling the vulnerable AJAX action by modifying the plugin code or restricting access to the AJAX endpoint via web application firewall (WAF) rules or server-level access controls. Monitoring web server logs for unusual AJAX requests targeting the plugin can help detect exploitation attempts. Additionally, organizations should review and limit the exposure of sensitive content titles in drafts or private posts and consider implementing stricter content access policies. User awareness training to recognize phishing attempts that might exploit this vulnerability is also recommended. Finally, maintaining regular backups and a robust incident response plan will help mitigate potential downstream impacts from exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- WPScan
- Date Reserved
- 2025-03-28T20:52:11.309Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6875696ba83201eaaccaa8f3
Added to database: 7/14/2025, 8:32:43 PM
Last enriched: 7/21/2025, 9:02:07 PM
Last updated: 8/18/2025, 7:14:11 AM
Views: 15
Related Threats
CVE-2025-33100: CWE-798 Use of Hard-coded Credentials in IBM Concert Software
MediumCVE-2025-33090: CWE-1333 Inefficient Regular Expression Complexity in IBM Concert Software
HighCVE-2025-27909: CWE-942 Permissive Cross-domain Policy with Untrusted Domains in IBM Concert Software
MediumCVE-2025-1759: CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') in IBM Concert Software
MediumCVE-2025-4962: CWE-284 Improper Access Control in lunary-ai lunary-ai/lunary
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.