{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12720", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-04T21:20:38.590Z", "datePublished": "2025-12-06T05:49:25.295Z", "dateUpdated": "2026-04-08T16:45:38.927Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:38.927Z"}, "affected": [{"vendor": "garidium", "product": "g-FFL Cockpit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products."}], "title": "g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3405974d-cf0a-4fef-9693-5d81833f42d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-update-processor.php#L634"}, {"url": "https://github.com/d0n601/CVE-2025-12720"}, {"url": "https://ryankozak.com/posts/cve-2025-12720/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3413768/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ryan Kozak"}], "timeline": [{"time": "2025-12-05T17:38:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T21:09:02.200189Z", "id": "CVE-2025-12720", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:09:31.932Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12720", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T21:09:02.200189Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T21:09:25.539Z"}}], "cna": {"title": "g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Ryan Kozak"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "garidium", "product": "g-FFL Cockpit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:38:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3405974d-cf0a-4fef-9693-5d81833f42d6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-update-processor.php#L634"}, {"url": "https://github.com/d0n601/CVE-2025-12720"}, {"url": "https://ryankozak.com/posts/cve-2025-12720/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3413768/"}], "descriptions": [{"lang": "en", "value": "The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:38.927Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12720", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:38.927Z", "dateReserved": "2025-11-04T21:20:38.590Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:25.295Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products."}], "id": "CVE-2025-12720", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:50.730", "references": [{"source": "security@wordfence.com", "url": "https://github.com/d0n601/CVE-2025-12720"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-update-processor.php#L634"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3413768/"}, {"source": "security@wordfence.com", "url": "https://ryankozak.com/posts/cve-2025-12720/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3405974d-cf0a-4fef-9693-5d81833f42d6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:40:43.257798+00:00", "value": {"mitigation_remediation": ["Update to g-FFL Cockpit plugin version 1.7.2 or later, which removes the IP\u2011based authorization in handle_enqueue_only().", "If a plugin update is not immediately possible, configure the web server or application firewall to allow the plugin\u2019s product deletion endpoints only from trusted IP ranges and block other requests.", "Modify the plugin code in the handle_enqueue_only() function to perform proper role\u2011based authorization checks for each user, ensuring only users with product\u2011management privileges can delete products."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated deletion of products via improper authorization"}, "threat_synthesis": {"affected_systems": "All installations of the garidium:g-FFL Cockpit plugin that are version 1.7.1 or earlier are affected. These are WordPress sites that have uploaded g-FFL Cockpit to manage product listings.", "description_and_impact": "The g-FFL Cockpit plugin for WordPress contains an IP\u2011based authorization flaw that can be spoofed in the handle_enqueue_only() routine; as a result, attackers who are not logged in can delete any product created in the system. This flaw allows loss of data and availability damage but does not grant code execution or broader system compromise.", "risk_and_exploitability": "The vulnerability scores a CVSS of 5.3, indicating moderate severity, and the EPSS is below 1\u202f%, meaning the current likelihood of exploitation is very low. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves the attacker forging an IP address recognized by the plugin, triggering the deletion routine without authenticating. Once exploited, the attacker can remove arbitrary product entries, potentially disrupting storefronts or catalogs."}}}}, "created": "2025-12-08T09:39:31.321735+00:00", "updated": "2026-04-21T17:45:16.487797+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}