CVE-2025-12130 is a medium severity Cross-Site Request Forgery (CSRF) vulnerability identified in the WC Vendors plugin for WordPress, which supports multivendor WooCommerce marketplaces. The vulnerability affects all versions up to and including 2.6.4. The root cause is the absence or improper implementation of nonce validation on the /vendor_dashboard/product/delete/ endpoint. Nonces are security tokens used to verify that requests originate from legitimate users and not from forged sources. Because this validation is missing or incorrect, an attacker can craft a malicious link or webpage that, when visited or clicked by an authenticated site administrator, triggers the deletion of vendor products without their explicit consent. This attack vector requires user interaction but no prior authentication by the attacker, leveraging the administrator’s session. The vulnerability impacts the integrity of vendor product data by enabling unauthorized deletion but does not affect confidentiality or availability. The CVSS v3.1 base score is 4.3, reflecting low complexity and no privileges required but limited impact scope. No public exploits have been reported yet, but the vulnerability poses a risk to e-commerce platforms relying on this plugin for product management. The vulnerability was reserved on October 23, 2025, and published on December 5, 2025. The lack of nonce validation is a common security oversight in WordPress plugin development, emphasizing the need for secure coding practices around state-changing operations.

The primary impact of CVE-2025-12130 is the unauthorized deletion of vendor products in WooCommerce multivendor marketplaces using the affected WC Vendors plugin. This compromises data integrity, potentially causing financial loss, reputational damage, and operational disruption for vendors and marketplace operators. Although the vulnerability does not expose sensitive data or cause denial of service, the ability to delete products without authorization can undermine trust in the platform and lead to disputes or loss of sales. Attackers can exploit this by social engineering site administrators into clicking malicious links, making it a plausible threat in environments with multiple administrators or less security awareness. The impact is particularly significant for large e-commerce platforms relying on WC Vendors for product management, where product deletion can affect inventory, customer experience, and vendor relationships. Since no authentication is required for the attacker and user interaction is needed, the attack surface includes any administrator who can be tricked, increasing risk in organizations with many privileged users. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code may emerge.

To mitigate CVE-2025-12130, organizations should immediately update the WC Vendors plugin to a version that includes proper nonce validation on the /vendor_dashboard/product/delete/ endpoint once available. Until a patch is released, administrators can implement the following specific measures: 1) Restrict administrative access to trusted users only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of session hijacking. 2) Educate administrators about the risks of clicking untrusted links, especially those that could trigger state-changing actions. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious POST requests to the vulnerable endpoint lacking valid nonce tokens. 4) Review and harden WordPress security configurations, including limiting plugin permissions and monitoring logs for unusual product deletion activities. 5) Consider temporarily disabling the vulnerable plugin functionality if feasible until a secure update is applied. 6) Conduct regular security audits and penetration testing focusing on CSRF and other web vulnerabilities in the e-commerce environment. These targeted steps go beyond generic advice by focusing on nonce validation enforcement, user training, and proactive monitoring tailored to this vulnerability’s characteristics.