Overview
CVE-2025-12130 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress. This vulnerability exists in versions up to and including 2.6.4. It allows unauthenticated attackers to potentially delete vendor products from a WooCommerce store if they can successfully trick a site administrator into performing an unintended action, such as clicking a malicious link.
Technical Details
The vulnerability stems from missing or insufficient nonce validation on the /vendor_dashboard/product/delete/ endpoint. Nonces are cryptographic tokens designed to prevent CSRF attacks. Without proper nonce validation, an attacker can craft a malicious request that mimics a legitimate request to delete a product. If a logged-in administrator clicks on this link (e.g., embedded in an email or a malicious website), their browser will automatically send the request to the server, resulting in the deletion of the specified product.
CVSS Analysis
The CVSS score for CVE-2025-12130 is 4.3 (Medium). The CVSS vector is likely AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, meaning:
- AV:N (Attack Vector: Network): The attack can be launched over the network.
- AC:L (Attack Complexity: Low): The attack is relatively easy to perform.
- PR:N (Privileges Required: None): No privileges are required to exploit the vulnerability.
- UI:R (User Interaction: Required): User interaction is required (e.g., clicking a link).
- S:U (Scope: Unchanged): The vulnerability’s impact is limited to the affected component.
- C:N (Confidentiality: None): There is no impact to confidentiality.
- I:L (Integrity: Low): There is a limited impact to integrity (product deletion).
- A:N (Availability: None): There is no impact to availability.
While the severity is Medium, the impact can be significant for vendors relying on their product listings for revenue.
Possible Impact
A successful exploitation of this vulnerability can lead to:
- Product Deletion: Attackers can delete products from vendor stores, disrupting their sales and potentially causing financial loss.
- Reputational Damage: Frequent or widespread product deletions can erode trust in the online marketplace.
- Service Disruption: If attackers target multiple vendors or key products, it can temporarily disrupt the overall operation of the WooCommerce store.
Mitigation and Patch Steps
The recommended mitigation is to update the WC Vendors plugin to the latest version. Ensure you are running a version higher than 2.6.4 where the vulnerability has been patched.
- Update the Plugin: Log in to your WordPress admin dashboard, navigate to the “Plugins” section, and update the WC Vendors plugin to the latest available version.
- Verify Update: After updating, verify that the plugin version is higher than 2.6.4.
- Monitor Logs: Keep an eye on your server and WordPress logs for any suspicious activity, especially related to product deletion attempts.
- Educate Administrators: Train administrators to be cautious about clicking on links from unknown or untrusted sources.
