CVE-2025-32673 Overview
CVE-2025-32673 is a Cross-Site Request Forgery (CSRF) vulnerability in the Epeken All Kurir WordPress plugin developed by epeken. The flaw enables attackers to chain CSRF with Stored Cross-Site Scripting (XSS), allowing persistent JavaScript payloads to be saved through forged authenticated requests. All plugin versions up to and including 2.0.6 are affected. The weakness is classified as [CWE-352] Cross-Site Request Forgery.
Critical Impact
An attacker who lures an authenticated WordPress administrator to a malicious page can silently inject persistent script payloads into the site, leading to session theft, account takeover, and arbitrary actions executed in the victim's browser context.
Affected Products
- epeken Epeken All Kurir WordPress plugin (epeken-all-kurir)
- All versions from initial release through 2.0.6
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2025-04-09 - CVE-2025-32673 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-32673
Vulnerability Analysis
The Epeken All Kurir plugin exposes administrative functionality without adequate CSRF protections. Plugin endpoints that accept persistent input do not validate WordPress nonces or verify request origin. An attacker can craft an HTML page that triggers a state-changing request to the vulnerable endpoint when visited by a logged-in administrator.
Because the stored input is later rendered without proper output encoding, the forged request also delivers a Stored XSS payload. The script executes in the browser of any user who subsequently views the affected page. This combination converts a passive CSRF flaw into a persistent client-side code execution primitive.
User interaction is required, since an authenticated victim must visit the attacker-controlled page. The scope changes because the injected script runs in the WordPress origin rather than the attacker's domain.
Root Cause
The root cause is the absence of CSRF token validation on plugin handlers that write user-controlled data, combined with insufficient sanitization and escaping of that data when it is later rendered in the WordPress admin or front-end context. Both wp_verify_nonce() checks and contextual output escaping using functions such as esc_html() or esc_attr() are missing or inadequate in vulnerable code paths.
Attack Vector
Exploitation requires no authentication on the attacker side and is delivered over the network. The attacker hosts a page containing an auto-submitting form or fetch request targeting the vulnerable plugin endpoint. When a WordPress administrator with an active session loads the page, the browser attaches authentication cookies and submits the request. The payload is stored and executes whenever the rendered page is viewed.
The vulnerability is described in the Patchstack Vulnerability Report. No verified public proof-of-concept code is available at this time.
Detection Methods for CVE-2025-32673
Indicators of Compromise
- Unexpected <script> tags, event handlers, or javascript: URIs stored in plugin-managed database tables or post metadata related to epeken-all-kurir.
- WordPress administrator sessions performing plugin configuration changes from unfamiliar Referer headers or external origins.
- New or modified administrator accounts created shortly after an admin browsing session.
Detection Strategies
- Audit WordPress database content for HTML or JavaScript artifacts within fields written by the Epeken All Kurir plugin.
- Inspect web server access logs for POST requests to plugin endpoints lacking valid Referer or Origin headers tied to the site domain.
- Deploy a Web Application Firewall rule to flag state-changing requests to wp-admin plugin handlers without a valid nonce parameter.
Monitoring Recommendations
- Enable WordPress activity logging to track plugin setting changes and option updates.
- Alert on administrative browser sessions that load external third-party domains immediately before plugin configuration changes.
- Monitor egress traffic from administrator workstations for callbacks to attacker-controlled domains characteristic of XSS payload exfiltration.
How to Mitigate CVE-2025-32673
Immediate Actions Required
- Deactivate and remove the epeken-all-kurir plugin until a patched version above 2.0.6 is confirmed available from the vendor.
- Force password resets and invalidate active sessions for all WordPress administrator accounts.
- Review user roles and recently created accounts for unauthorized privilege escalation.
Patch Information
At publication, no fixed version beyond 2.0.6 is referenced in the available data. Administrators should monitor the plugin's WordPress.org listing and the Patchstack Vulnerability Report for an official update and apply it as soon as it is published.
Workarounds
- Restrict access to wp-admin by IP allowlisting at the web server or WAF layer to limit CSRF exposure.
- Require administrators to use a dedicated browser profile for WordPress management to reduce cross-site cookie attachment.
- Deploy a Content Security Policy that disallows inline scripts and unauthorized external script sources to limit Stored XSS impact.
# Example: temporarily disable the vulnerable plugin via WP-CLI
wp plugin deactivate epeken-all-kurir
wp plugin delete epeken-all-kurir
# Optional: restrict wp-admin to trusted IPs in nginx
# location ^~ /wp-admin/ {
# allow 203.0.113.0/24;
# deny all;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
