CVE-2025-12130 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, and Product Vendors WordPress plugins, affecting all versions up to and including 2.6.4. The vulnerability arises from missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint, which is responsible for handling product deletion requests from vendors. Nonce tokens are security measures used to verify that requests originate from legitimate users and prevent unauthorized actions. Because this validation is absent or improperly implemented, an attacker can craft a malicious web request that, when executed by an authenticated site administrator (e.g., by clicking a link), causes the deletion of vendor products without the administrator's explicit consent. This attack vector requires no authentication on the attacker’s part but does require user interaction from a privileged user, making it a classic CSRF scenario. The vulnerability impacts the integrity of vendor product data by allowing unauthorized deletion but does not compromise confidentiality or availability. The CVSS v3.1 score is 4.3 (medium severity), reflecting the ease of exploitation (network accessible, no privileges required), the need for user interaction, and the limited impact scope. No patches or known exploits are currently reported, but the risk remains significant for e-commerce sites relying on this plugin. The vulnerability is particularly critical for online marketplaces where product data integrity is essential for business operations and customer trust.

For European organizations operating e-commerce platforms using the WC Vendors plugin, this vulnerability poses a risk to the integrity of their product catalogs. Unauthorized deletion of vendor products can lead to loss of sales, disruption of vendor relationships, and damage to brand reputation. While confidentiality and availability are not directly impacted, the integrity breach can cause operational downtime and require manual recovery efforts. In regulated sectors, such as retail and consumer goods, this could also lead to compliance issues if product information is manipulated or lost. The attack requires tricking an administrator, so organizations with less security awareness or insufficient phishing defenses are at higher risk. Given the widespread use of WooCommerce in Europe, especially in countries with mature e-commerce markets, the potential impact is significant. The absence of known exploits in the wild suggests the threat is currently theoretical but could be weaponized by attackers targeting high-value marketplaces or vendors.

Organizations should immediately verify if they use affected versions of the WC Vendors plugin and plan to update to a patched version once released. In the absence of an official patch, administrators can implement manual nonce validation on the /vendor_dashboard/product/delete/ endpoint to ensure requests are legitimate. Web application firewalls (WAFs) can be configured to detect and block suspicious CSRF attempts targeting this endpoint. Additionally, administrators should be trained to recognize phishing attempts and avoid clicking on unsolicited links, especially when logged into administrative accounts. Employing multi-factor authentication (MFA) for admin accounts can reduce the risk of session hijacking that could facilitate CSRF attacks. Regular backups of product data should be maintained to enable quick recovery from unauthorized deletions. Monitoring logs for unusual deletion activity can help detect exploitation attempts early. Finally, limiting administrative privileges to only necessary personnel reduces the attack surface.