{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12133", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-23T19:20:51.823Z", "datePublished": "2025-12-05T05:31:27.179Z", "dateUpdated": "2026-04-08T17:12:20.661Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:20.661Z"}, "affected": [{"vendor": "paulepro2019", "product": "EPROLO-Dropshipping", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data."}], "title": "EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a124da63-01a4-44d8-985b-cacef58ea9a3?source=cve"}, {"url": "https://wordpress.org/plugins/eprolo-dropshipping/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412888%40eprolo-dropshipping&new=3412888%40eprolo-dropshipping&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-12-04T17:23:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T19:25:36.188705Z", "id": "CVE-2025-12133", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T19:25:50.180Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T19:25:36.188705Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T19:25:45.029Z"}}], "cna": {"title": "EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "paulepro2019", "product": "EPROLO-Dropshipping", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T17:23:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a124da63-01a4-44d8-985b-cacef58ea9a3?source=cve"}, {"url": "https://wordpress.org/plugins/eprolo-dropshipping/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412888%40eprolo-dropshipping&new=3412888%40eprolo-dropshipping&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:20.661Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12133", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:20.661Z", "dateReserved": "2025-10-23T19:20:51.823Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T05:31:27.179Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data."}], "id": "CVE-2025-12133", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T06:16:05.540", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412888%40eprolo-dropshipping&new=3412888%40eprolo-dropshipping&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/eprolo-dropshipping/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a124da63-01a4-44d8-985b-cacef58ea9a3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:39:25.053253+00:00", "value": {"mitigation_remediation": ["Update the EPROLO Dropshipping plugin to version 2.3.2 or later, which includes a proper capability check on the affected AJAX endpoints.", "If an immediate update is not possible, block access to wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data for Subscriber\u2011level users using role\u2011based access control or a custom filter.", "Review and tighten the permissions granted to the Subscriber role, ensuring it does not possess higher capabilities than required for its intended use."], "summary": {"action": "Immediate Patch", "impact": "Authorization bypass allowing tracking data modification"}, "threat_synthesis": {"affected_systems": "The flaw affects WordPress sites that have installed the EPROLO Dropshipping plugin from the paulepro2019 project, specifically all versions up to and including 2.3.1. Sites running this plugin, regardless of additional themes or plugins, are susceptible to the described data\u2011tamper attack.", "description_and_impact": "The EPROLO Dropshipping plugin for WordPress suffers from a missing capability check on two AJAX endpoints, wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data, in all releases through 2.3.1. This defect lets an authenticated user with the Subscriber role or higher modify or delete shipping\u2011tracking records tied to orders. The vulnerability therefore represents a data integrity and authorization bypass; attackers can alter or remove shipping details, potentially disrupting fulfillment processes and eroding customer confidence.", "risk_and_exploitability": "Scored 4.3 on the CVSS scale, the issue carries a low exploitation probability with an EPSS score of less than 1%. It is not currently listed in CISA\u2019s KEV catalog. Because the flaw requires an authenticated user with at least Subscriber privileges, the attack vector is limited to legitimate logins or user credential compromise. An attacker could use standard AJAX calls to the exposed endpoints without triggering additional security checks, making the exploitation relatively straightforward once the prerequisite role is achieved."}}}}, "created": "2025-12-05T10:51:44.290975+00:00", "updated": "2026-04-22T12:00:05.908837+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}