CVE-2025-13987
Purchase and Expense Manager <= 1.1.2 - Cross-Site Request Forgery to Arbitrary Purchase Record Deletion
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup_pt_handle_deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
| CWE | CWE-352 |
| Vendor | codnloc |
| Product | purchase and expense manager |
| Published | Dec 12, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for codnloc purchase and expense manager
Be the first to know when new medium vulnerabilities affecting codnloc purchase and expense manager are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
codnloc / Purchase and Expense Manager
0 โค 1.1.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c9826506-2292-44a7-9564-832e54bf4fba?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/purchase-and-expense-manager/trunk/purchase-and-expense-manager.php#L604 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/purchase-and-expense-manager/tags/1.1.2/purchase-and-expense-manager.php#L604
Credits
dayea song