CVE-2025-47462 HIGH

CVE-2025-47462: WordPress Challan plugin <= 3.7.58 - CSRF to Privilege Escalation vulnerability

Vendor Webappick
Product Challan
Weakness CWE-352 · CSRF
Published May 7, 2025
Last update May 12, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in WebAppick Challan webappick-pdf-invoice-for-woocommerce allows Privilege Escalation.This issue affects Challan: from n/a through <= 3.7.58.

Explanation of Vulnerability in Simple Terms

02Summary

Challan versions up to 3.7.58 contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. An attacker can craft a malicious link or page that, when visited by a logged-in user, executes unwanted operations without the user's knowledge or consent. This affects confidentiality, integrity, and availability of the application.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on behalf of a logged-in user, such as modifying data or changing settings.

Potential impact on your site

04Site Impact

Users' accounts can be compromised to perform unwanted actions; attackers can modify or delete data without direct authentication.

Conditions required to exploit

05Prerequisites

A logged-in user must visit an attacker-controlled page or click a malicious link while authenticated to Challan.

Key dates

06Disclosure timeline

May 7, 2025 CVE published
May 12, 2026 Record updated