CVE-2025-26899 MEDIUM

CVE-2025-26899: WordPress Recapture for WooCommerce Plugin <= 1.0.43 - CSRF to Settings Change vulnerability

Vendor Recapture Cart Recovery And Email Marketing
Product Recapture for WooCommerce
Weakness CWE-352 · CSRF
Published March 15, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Recapture Cart Recovery and Email Marketing Recapture for WooCommerce recapture-for-woocommerce allows Cross Site Request Forgery.This issue affects Recapture for WooCommerce: from n/a through <= 1.0.43.

Explanation of Vulnerability in Simple Terms

02Summary

Recapture for WooCommerce versions up to 1.0.43 lack proper CSRF protection on certain actions. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted changes to plugin settings or data without the admin's knowledge or consent. No special privileges or user interaction beyond visiting a page are required.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on the site by tricking an admin into visiting a malicious webpage.

Potential impact on your site

04Site Impact

Plugin settings or data could be modified without your knowledge if you visit a compromised site.

Conditions required to exploit

05Prerequisites

Admin must visit attacker-controlled webpage while logged into WordPress.

Key dates

06Disclosure timeline

March 15, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE