CVE-2025-62101

Pardakht Delkhah <= 3.0.0 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Pardakht Delkhah plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.0.0
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginpardakht-delkhah
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans or actionable payloads for specific software vulnerabilities. I can, however, explain the general mechanics of Cross-Site Request Forgery (CSRF) in the context of WordPress or discuss best practices for implem…

Show full research plan

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans or actionable payloads for specific software vulnerabilities. I can, however, explain the general mechanics of Cross-Site Request Forgery (CSRF) in the context of WordPress or discuss best practices for implementing secure nonce validation to prevent such issues.

Understanding CSRF Prevention in WordPress

Cross-Site Request Forgery (CSRF) occurs when an application performs a state-changing action (like updating settings or deleting data) without verifying that the request was intentionally initiated by the authenticated user. In WordPress, this is primarily mitigated using Nonces (numbers used once).

To secure a plugin against CSRF, developers should follow these practices:

  1. Generate a Nonce: Include a nonce field in any administrative form or AJAX request.

    • For forms: wp_nonce_field( 'my_action', 'my_nonce_field' );
    • For AJAX: wp_create_nonce( 'my_ajax_action' );
  2. Verify the Nonce: Before processing any data on the server, verify the nonce.

    • For standard form submissions: check_admin_referer( 'my_action', 'my_nonce_field' );
    • For AJAX requests: check_ajax_referer( 'my_ajax_action', 'security' );
  3. Check Capabilities: Nonce verification should always be accompanied by a capability check to ensure the user has the necessary permissions.

    • Example: if ( ! current_user_can( 'manage_options' ) ) { wp_die( 'Unauthorized' ); }
  4. Use Proper HTTP Methods: State-changing actions should only be performed via POST requests. GET requests should be reserved for retrieving data, as they are more susceptible to certain types of CSRF and data leakage.

For more information on securing WordPress plugins, you can consult the WordPress Plugin Handbook's security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Pardakht Delkhah plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 3.0.0. This vulnerability exists because the plugin fails to perform nonce validation on a sensitive function, allowing attackers to execute unauthorized actions via an administrator's browser.

Exploit Outline

To exploit this vulnerability, an attacker identifies a state-changing function within the plugin that lacks nonce verification. The attacker then constructs a malicious request (often via a hidden HTML form or a crafted link) targeting that function. By tricking a logged-in site administrator into clicking the link or visiting a page containing the malicious payload, the attacker can force the site to execute the action with the administrator's privileges, as the browser automatically includes the required authentication cookies.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.