CVE-2025-14165 - Vulnerability Details

The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Developerke	Kirim.email Woocommerce Integration
Woocommerce	Woocommerce
Wordpress	Wordpress

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Developerke	Kirim.email Woocommerce Integration
Woocommerce	Woocommerce
Wordpress	Wordpress

References

Link	Providers
https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L113
https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L137
https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L113
https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L137
https://www.wordfence.com/threat-intel/vulnerabilities/id/70993f6f-d9b0-49d5-b35e-e129f96529f6?source=cve

History

Mon, 15 Dec 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Dec 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Developerke Developerke kirim.email Woocommerce Integration Woocommerce Woocommerce woocommerce Wordpress Wordpress wordpress
Vendors & Products		Developerke Developerke kirim.email Woocommerce Integration Woocommerce Woocommerce woocommerce Wordpress Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type	Values Removed	Values Added
Description		The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L113 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L137 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L113 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L137 https://www.wordfence.com/threat-intel/vulnerabilities/id/70993f6f-d9b0-49d5-b35e-e129f96529f6?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-12T03:20:48.466Z

Updated: 2025-12-15T18:14:54.346Z

Reserved: 2025-12-05T21:16:58.731Z

Link: CVE-2025-14165

Vulnrichment

Updated: 2025-12-12T21:03:06.305Z

NVD

Status : Awaiting Analysis

Published: 2025-12-12T04:15:49.090

Modified: 2025-12-12T15:17:31.973

Link: CVE-2025-14165

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-12-12T08:48:03Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object