{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12130", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T18:51:55.361Z", "datePublished": "2025-12-05T07:26:18.017Z", "dateUpdated": "2026-04-08T17:29:03.861Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:03.861Z"}, "affected": [{"vendor": "wcvendors", "product": "WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors <= 2.6.4 - Cross-Site Request Forgery to Vendor Product Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3408849/wc-vendors/trunk/classes/front/class-wcv-product-controller.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-12-04T19:20:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T12:54:03.315279Z", "id": "CVE-2025-12130", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T12:55:27.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12130", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T12:54:03.315279Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T12:54:25.271Z"}}], "cna": {"title": "WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors <= 2.6.4 - Cross-Site Request Forgery to Vendor Product Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wcvendors", "product": "WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.6.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T19:20:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3408849/wc-vendors/trunk/classes/front/class-wcv-product-controller.php"}], "descriptions": [{"lang": "en", "value": "The WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:03.861Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12130", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:03.861Z", "dateReserved": "2025-10-23T18:51:55.361Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T07:26:18.017Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12130", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T08:15:46.170", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3408849/wc-vendors/trunk/classes/front/class-wcv-product-controller.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:43:37.748305+00:00", "value": {"mitigation_remediation": ["Upgrade the WC Vendors plugin to version 2.6.5 or later to obtain the fixed CSRF protection.", "Ensure that all delete requests to /vendor_dashboard/product/delete/ validate a correct nonce before processing the deletion.", "Configure a web\u2011application firewall to detect and block incoming requests to the delete endpoint that lack the required nonce or contain suspicious query parameters.", "Educate site administrators to avoid clicking unknown links and to verify URLs before actioning them."], "summary": {"action": "Patch", "impact": "Unauthorized Deletion of Vendor Products"}, "threat_synthesis": {"affected_systems": "All installations of the WC Vendors \u2013 WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin with version 2.6.4 or earlier are affected. The vulnerability is specific to the product deletion path on the vendor dashboard and applies to the WordPress site configured with this plugin.", "description_and_impact": "The WC Vendors plugin for WordPress is vulnerable to a Cross\u2011Site Request Forgery flaw (CWE\u2011352) that allows an unauthenticated attacker to delete vendor products. The flaw exists because the /vendor_dashboard/product/delete/ endpoint does not validate the required nonce, so a forged request can be accepted. If an attacker can convince a site administrator to click a crafted link or image, any vendor product can be removed, potentially causing loss of catalog items, revenue loss, and reputational damage.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog. The likely attack path requires the attacker to get an administrator or another privileged user to click a malicious link that triggers a delete request without a valid nonce. Because the request can be performed from a third\u2011party site, the core risk is the potential loss of vendor inventory and associated revenue. Mitigation is most effectively achieved by upgrading the plugin or implementing proper nonce validation."}}}}, "created": "2025-12-05T20:56:23.248229+00:00", "updated": "2026-04-21T17:45:16.491492+00:00", "vendors": ["wcvendors", "wcvendors$PRODUCT$woocommerce_multi-vendor,_woocommerce_marketplace,_product_vendors", "wordpress", "wordpress$PRODUCT$wordpress"]}