Cybersecurity Vulnerabilities

CVE-2025-12133: Medium Severity Vulnerability in EPROLO Dropshipping Plugin

December 5, 2025 - By 

Overview

A medium severity vulnerability, identified as CVE-2025-12133, has been discovered in the EPROLO Dropshipping plugin for WordPress. This vulnerability affects versions up to and including 2.3.1 and allows authenticated attackers with Subscriber-level access or higher to modify and delete tracking data. This can lead to data manipulation and potential supply chain disruptions for WooCommerce store owners using the plugin.

Technical Details

The vulnerability stems from a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints. These endpoints are responsible for deleting and saving tracking information associated with orders managed through the EPROLO Dropshipping plugin. Due to the lack of proper authorization checks, any authenticated user, even with the lowest Subscriber role, can send malicious requests to these endpoints and manipulate tracking data. The issue was published on 2025-12-05T06:16:05.540.

CVSS Analysis

The vulnerability has a CVSS score of 4.3 (MEDIUM). The CVSS vector is likely something similar to AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network accessible, has a low attack complexity, requires low privileges (an authenticated user), requires no user interaction, has no scope change, and can lead to partial integrity impact but no impact on confidentiality or availability.

Possible Impact

Exploitation of this vulnerability could lead to several negative consequences:

  • Data Manipulation: Attackers can modify tracking information, potentially misleading customers about the status of their orders.
  • Supply Chain Disruption: By deleting tracking data, attackers can hinder the ability to monitor and manage the dropshipping process.
  • Loss of Trust: Inaccurate or missing tracking information can damage the reputation of the online store and erode customer trust.
  • Potential Financial Loss: Delays or disruptions caused by manipulated tracking data could lead to order cancellations and refunds.

Mitigation or Patch Steps

The recommended mitigation step is to immediately update the EPROLO Dropshipping plugin to the latest version. The vulnerability has been patched in versions released after 2.3.1. To update, navigate to the Plugins section in your WordPress dashboard and update the EPROLO Dropshipping plugin. If an update isn’t available, monitor the plugin page for updates and consider temporarily disabling the plugin until a patched version is released.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *