CVE-2025-60171: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Conditional Cart Messages for WooCommerce plugin by YourPlugins.com, affecting versions up to 1.2.10. The vulnerability was reported by Nguyen Xuan Chien on August 26, 2025, and was publicly disclosed on September 26, 2025. The vulnerability has been assigned CVE-2025-60171 and received a CVSS v3.1 base score of 7.1 (High) (Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue that also allows for Stored XSS. It has been assigned CWE-352 (Cross-Site Request Forgery). The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The impact is particularly concerning as it affects confidentiality, integrity, and availability, all rated as Low in the CVSS scoring (Patchstack).

No official fix is currently available for this vulnerability. The recommended mitigation strategy is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive future updates or security fixes (Patchstack).