CVE-2025-62101

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

Tags

CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Omid Shamloo Pardakht Delkhah pardakht-delkhah allows Cross Site Request Forgery.This issue affects Pardakht Delkhah: from n/a through <= 3.0.0.

Analysis

Cross-site request forgery (CSRF) in Pardakht Delkhah WordPress plugin through version 3.0.0 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious pages. The vulnerability affects all versions up to and including 3.0.0, though no CVSS score or public exploit code has been published. This represents a low-probability exploitation risk (EPSS 0.01%) despite the attack vector being network-accessible, likely due to the social engineering requirement inherent to CSRF attacks.

Technical Context

CSRF (CWE-352) vulnerabilities occur when web applications fail to implement sufficient anti-forgery protections such as nonce validation, SameSite cookie attributes, or token-based request verification. In WordPress plugins, this typically manifests when admin actions, form submissions, or API endpoints do not validate that requests originate from legitimate user sessions. The Pardakht Delkhah plugin, used for payment processing or financial transactions in WordPress environments, lacks proper state-changing request validation, allowing attackers to craft malicious HTML or JavaScript that silently executes actions (such as modifying settings, processing transactions, or changing user permissions) when an authenticated administrator unknowingly visits an attacker-controlled site.

Affected Products

Pardakht Delkhah WordPress plugin by Omid Shamloo through version 3.0.0 is affected. The vulnerability applies to all versions from the earliest release through 3.0.0 inclusive. The plugin is distributed via WordPress.org plugin repository and can be identified by CPE wordpress_pardakht-delkhah_plugin. Additional details are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/pardakht-delkhah/vulnerability/wordpress-pardakht-delkhah-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability.

Remediation

Update Pardakht Delkhah plugin to the latest patched version released after 3.0.0. Users should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Pardakht Delkhah, and click 'Update now' if a newer version is available, or manually download the patched version from the WordPress.org plugin page. As an interim mitigation before a patch is released or applied, administrators should limit plugin access via role-based permissions, enforce strict user permissions within WordPress, and educate users about phishing and malicious link risks. Consult the plugin vendor or Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/pardakht-delkhah/vulnerability/) for the specific patched version number and timing.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62101 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy