CVE-2025-2907: 
WordPress vulnerability analysis and mitigation

The Order Delivery Date Pro for WooCommerce plugin before version 12.3.1 contains a critical security vulnerability that was discovered in March 2025 and publicly disclosed on April 4, 2025. The vulnerability affects the settings import functionality in the Pro version of the plugin (WPScan).

The vulnerability stems from missing authorization and CSRF (Cross-Site Request Forgery) checks in the settings import functionality. Additionally, the plugin lacks proper validation to restrict option updates to only those relevant to the plugin itself. The vulnerability has received a CVSS v3.1 score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a severe security risk (WPScan, Wiz).

The vulnerability allows attackers to modify critical WordPress settings, specifically the 'defaultuserrole' to administrator and 'userscanregister' option. This combination enables attackers to register new accounts with administrator privileges, effectively allowing complete site takeover (WPScan).

Users are strongly advised to update to version 12.3.1 of the Order Delivery Date Pro for WooCommerce plugin, which contains the security fix for this vulnerability (Wiz).