CVE-2025-58802 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the TrustMate.io – WooCommerce integration plugin developed by michalzagdan. This vulnerability affects all versions up to and including 1.14.0. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged request to a web application, causing the application to perform unwanted actions on behalf of the user without their consent. In this case, the vulnerability allows an attacker to craft malicious requests that, when executed by an authenticated WooCommerce administrator or user with sufficient privileges, could alter the state or configuration of the TrustMate.io integration or perform other actions permitted by the plugin. The CVSS v3.1 base score is 4.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) shows that the attack can be performed remotely over the network without privileges but requires user interaction (such as clicking a link). The impact is limited to integrity, with no confidentiality or availability impact. There are no known exploits in the wild, and no patches have been published at the time of this report. The vulnerability is classified under CWE-352, which is a well-known web security weakness related to insufficient request validation to prevent CSRF attacks. Since WooCommerce is a widely used e-commerce platform built on WordPress, and TrustMate.io is an integration plugin for it, this vulnerability could affect online stores using this plugin to manage customer reviews or trust signals. Exploitation could lead to unauthorized changes in plugin settings or other actions that may disrupt business processes or undermine trustworthiness of the e-commerce site.

For European organizations operating e-commerce platforms using WooCommerce with the TrustMate.io integration, this vulnerability poses a risk of unauthorized manipulation of plugin settings or actions that could affect the integrity of customer reviews or trust data. While the confidentiality and availability of the system are not directly impacted, integrity violations could lead to reputational damage, loss of customer trust, and potential financial losses due to fraudulent or manipulated review data. Since WooCommerce is popular among small to medium-sized enterprises across Europe, especially in countries with high e-commerce adoption like Germany, the UK, France, and the Netherlands, the impact could be widespread if exploited. Attackers could leverage social engineering to trick administrators into executing malicious requests, potentially leading to unauthorized changes without detection. This could also be a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations. However, the medium severity and requirement for user interaction limit the immediacy and scale of impact compared to more critical vulnerabilities.

To mitigate this CSRF vulnerability, European organizations should: 1) Immediately monitor official channels for patches or updates from the plugin developer and apply them as soon as they become available. 2) Implement strict Content Security Policies (CSP) and SameSite cookie attributes to reduce the risk of CSRF attacks by restricting cross-origin requests. 3) Enforce multi-factor authentication (MFA) for all WooCommerce administrative accounts to reduce the risk of unauthorized actions even if a CSRF attack is attempted. 4) Educate administrators and users with elevated privileges about the risks of clicking on suspicious links or visiting untrusted websites while logged into the WooCommerce admin panel. 5) Use web application firewalls (WAFs) with rules designed to detect and block CSRF attack patterns targeting WooCommerce plugins. 6) Regularly audit plugin usage and configurations to detect any unauthorized changes promptly. 7) Consider temporarily disabling or restricting the TrustMate.io integration plugin if it is not critical to business operations until a patch is available.