CVE-2025-27012
Published: 22 February 2025
Summary
CVE-2025-27012 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CSRF vulnerabilities by requiring mechanisms such as anti-CSRF tokens to protect the authenticity of communications sessions.
Requires validation of information inputs like CSRF tokens in requests to prevent forged cross-site requests leading to privilege escalation.
Mandates timely remediation of flaws, such as patching the A1POST.BG Shipping for Woo plugin to version 1.5.1 or later, to eliminate the specific CSRF vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly enables exploitation of the application for initial access (T1190) and facilitates privilege escalation (T1068) via crafted requests tricking authenticated users.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege Escalation.This issue affects A1POST.BG Shipping for Woo: from n/a through <= 1.5.
Deeper analysisAI
CVE-2025-27012 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, present in the WordPress plugin A1POST.BG Shipping for Woo (a1post-bg-shipping-for-woocommerce). This flaw allows privilege escalation and affects all versions of the plugin from n/a through 1.5 inclusive. Published on 2025-02-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity (AC:L), but requires user interaction (UI:R), such as tricking an authenticated user into submitting a malicious request via a crafted webpage or link. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the affected WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/a1post-bg-shipping-for-woocommerce/vulnerability/wordpress-a1post-bg-shipping-for-woo-plugin-1-5-1-csrf-to-privilege-escalation-vulnerability?_s_id=cve details the issue and indicates that version 1.5.1 of the plugin addresses the vulnerability. Practitioners should prioritize updating to 1.5.1 or later and verify CSRF token implementations in custom integrations.
Details
- CWE(s)