Platform
wordpress
Component
wc-vendors
Fixed in
2.6.5
CVE-2025-12130 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, and Product Vendors plugin for WordPress. This flaw allows unauthenticated attackers to delete vendor products if they can manipulate a site administrator into performing a malicious action. The vulnerability impacts versions 0.0.0 through 2.6.4, and a patch is available in version 2.6.4.1.
An attacker can exploit this CSRF vulnerability by crafting a malicious link or form that, when accessed by a logged-in administrator, triggers the deletion of vendor products. This could lead to significant disruption of the marketplace, loss of vendor data, and potential financial damage. The impact is amplified if the administrator has broad permissions, allowing for widespread product deletion. This vulnerability highlights the importance of proper nonce validation in web applications to prevent unauthorized actions.
This vulnerability was publicly disclosed on 2025-12-05. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a potential target for automated attacks. The vulnerability is not currently listed on CISA KEV, but its relatively simple exploitation pattern warrants monitoring.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the WC Vendors plugin to version 2.6.4.1 or later, which includes the necessary nonce validation fixes. As an interim measure, implement Web Application Firewall (WAF) rules to filter out suspicious requests to the /vendor_dashboard/product/delete/ endpoint. Educate administrators about the risks of clicking on untrusted links and performing actions without verifying their legitimacy. Regularly review user permissions to minimize the potential impact of a successful attack.
Update to version 2.6.4.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12130 is a Cross-Site Request Forgery vulnerability in WC Vendors versions 0.0.0–2.6.4, allowing attackers to delete vendor products via forged requests.
If you are using WC Vendors versions 0.0.0 through 2.6.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the WC Vendors plugin to version 2.6.4.1 or later to resolve the vulnerability. Implement WAF rules as an interim measure.
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target for attackers.
Refer to the official WC Vendors website or plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.