CVE-2025-2805: 
WordPress vulnerability analysis and mitigation

The ORDER POST plugin for WordPress contains a vulnerability (CVE-2025-2805) that allows arbitrary shortcode execution in all versions up to and including 2.0.2. The vulnerability was discovered and disclosed on April 9, 2025. This security issue affects the WordPress plugin's functionality where it fails to properly validate values before executing the do_shortcode function (NVD).

The vulnerability is classified as a Code Injection issue (CWE-94) with a CVSS v3.1 Base Score of 7.3 (High). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N). The scope is unchanged (S:U) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) (Wordfence).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, which could lead to unauthorized actions within WordPress installations using the affected plugin (NVD).

The plugin has been temporarily closed as of April 9, 2025, pending a full security review. Users are advised to remove the plugin until a patched version becomes available (WordPress Plugin).