प्लेटफ़ॉर्म
wordpress
घटक
wc-vendors
में ठीक किया गया
2.6.5
CVE-2025-12130 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, and Product Vendors plugin for WordPress. This flaw allows unauthenticated attackers to delete vendor products if they can manipulate a site administrator into performing a malicious action. The vulnerability impacts versions 0.0.0 through 2.6.4, and a patch is available in version 2.6.4.1.
An attacker can exploit this CSRF vulnerability by crafting a malicious link or form that, when accessed by a logged-in administrator, triggers the deletion of vendor products. This could lead to significant disruption of the marketplace, loss of vendor data, and potential financial damage. The impact is amplified if the administrator has broad permissions, allowing for widespread product deletion. This vulnerability highlights the importance of proper nonce validation in web applications to prevent unauthorized actions.
This vulnerability was publicly disclosed on 2025-12-05. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a potential target for automated attacks. The vulnerability is not currently listed on CISA KEV, but its relatively simple exploitation pattern warrants monitoring.
WordPress sites utilizing the WC Vendors plugin, particularly those with multiple vendors and administrators with broad permissions, are at risk. Shared hosting environments where multiple sites share the same server resources are also more vulnerable, as an attacker could potentially exploit this vulnerability on one site to impact others.
• wordpress / composer / npm:
grep -r 'vendor_dashboard/product/delete/' wp-content/plugins/wc-vendors/• wordpress / composer / npm:
wp plugin list --status=active | grep wc-vendors• generic web:
Check for suspicious POST requests to /vendor_dashboard/product/delete/ in access logs.
• generic web:
Inspect response headers for unexpected redirects after accessing links containing /vendor_dashboard/product/delete/.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.02% (4% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade the WC Vendors plugin to version 2.6.4.1 or later, which includes the necessary nonce validation fixes. As an interim measure, implement Web Application Firewall (WAF) rules to filter out suspicious requests to the /vendor_dashboard/product/delete/ endpoint. Educate administrators about the risks of clicking on untrusted links and performing actions without verifying their legitimacy. Regularly review user permissions to minimize the potential impact of a successful attack.
संस्करण 2.6.4.1 में अपडेट करें, या एक नया पैच किया गया संस्करण
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-12130 is a Cross-Site Request Forgery vulnerability in WC Vendors versions 0.0.0–2.6.4, allowing attackers to delete vendor products via forged requests.
If you are using WC Vendors versions 0.0.0 through 2.6.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the WC Vendors plugin to version 2.6.4.1 or later to resolve the vulnerability. Implement WAF rules as an interim measure.
While no active exploitation has been confirmed, the ease of exploitation makes it a potential target for attackers.
Refer to the official WC Vendors website or plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।