CVE-2025-12721: Critical Information Leak Exposes g-FFL Cockpit WordPress Plugin

Overview

CVE-2025-12721 is a medium-severity vulnerability affecting the g-FFL Cockpit WordPress plugin, versions up to and including 1.7.1. This vulnerability allows unauthenticated attackers to access sensitive server information via the /server_status REST API endpoint due to missing capability checks. This means anyone can potentially retrieve configuration details and other sensitive data about the server hosting the WordPress site.

Technical Details

The vulnerability stems from the /server_status REST API endpoint within the g-FFL Cockpit plugin. Specifically, the plugin fails to implement proper authentication and authorization checks before exposing server-related information. The class-sync-endpoint.php file (specifically, around line 1385 in the older versions) lacks the necessary capability checks to restrict access to this endpoint. This allows any unauthenticated user to query the endpoint and retrieve potentially sensitive data.

The susceptible code area can be found in the mentioned file, where the server status data is retrieved and exposed without verifying user permissions.

CVSS Analysis

The CVSS score for CVE-2025-12721 is 5.3 (Medium). The CVSS vector is likely AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

• Attack Vector (AV): Network (N) – The vulnerability can be exploited over the network.
• Attack Complexity (AC): Low (L) – The attack requires no special conditions.
• Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
• User Interaction (UI): None (N) – No user interaction is required to exploit the vulnerability.
• Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
• Confidentiality (C): Low (L) – There is limited information disclosure.
• Integrity (I): None (N) – There is no impact to integrity.
• Availability (A): None (N) – There is no impact to availability.

While the integrity and availability impacts are none, the low confidentiality impact can still be significant as it could expose sensitive server configuration details.

Possible Impact

Successful exploitation of this vulnerability could allow an attacker to:

• Gather information about the server’s configuration, including software versions, installed plugins, and environment variables.
• Potentially discover sensitive credentials stored in configuration files.
• Use the gathered information to plan further attacks against the server or the WordPress site.
• Expose server information to the public if the REST API is not properly secured.

Mitigation and Patch Steps

1. Update the g-FFL Cockpit plugin: The primary mitigation step is to update the g-FFL Cockpit plugin to the latest available version. Check the WordPress plugin repository for updates. Versions newer than 1.7.1 should contain a fix for this vulnerability.
2. Disable the plugin: If an update is not immediately available, consider temporarily disabling the g-FFL Cockpit plugin until a patched version is released.
3. Implement Network Security Measures: Consider implementing network-level access controls to restrict access to the /server_status endpoint. While this doesn’t address the underlying vulnerability, it can provide an additional layer of security.
4. Monitor for Suspicious Activity: Monitor your server logs for unusual requests to the /server_status endpoint.

References

• GitHub: CVE-2025-12721 Exploit Details
• WordPress Plugin Trac: Vulnerable Code Location
• Ryan Kozak’s Blog: CVE-2025-12721 Analysis
• Wordfence Threat Intelligence: CVE-2025-12721