CVE-2025-12130 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, and Product Vendors plugin for WordPress, affecting all versions up to and including 2.6.4. The vulnerability stems from missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint, which is responsible for handling product deletion requests from vendors. Nonces are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Due to the absence or misconfiguration of nonce checks, an attacker can craft a malicious web request that, when executed by an authenticated site administrator (e.g., by clicking a specially crafted link), causes the deletion of vendor products without the administrator's explicit consent. This attack does not require the attacker to be authenticated but does require user interaction from a privileged user, making social engineering a key component of exploitation. The vulnerability impacts the integrity of vendor product data by enabling unauthorized deletions, potentially causing business disruption and loss of vendor trust. The CVSS 3.1 score of 4.3 reflects a network attack vector with low complexity, no privileges required, but requiring user interaction, and limited impact confined to integrity without affecting confidentiality or availability. No public exploits have been reported, but the vulnerability is publicly disclosed and documented. The affected plugin is widely used in WordPress-based e-commerce marketplaces, making the vulnerability relevant to organizations relying on these platforms for multivendor operations.

For European organizations operating e-commerce marketplaces using the WC Vendors plugin, this vulnerability poses a risk of unauthorized deletion of vendor products, which can lead to significant operational disruptions, loss of sales, and damage to vendor relationships. The integrity of product listings is critical for marketplace trust and revenue; unauthorized deletions can undermine customer confidence and vendor participation. While the vulnerability does not expose confidential data or cause denial of service, the ability to manipulate product data without authentication can facilitate further social engineering or targeted attacks against marketplace administrators. Given the reliance on WooCommerce in Europe, particularly in countries with mature e-commerce sectors, the impact could be widespread if exploited at scale. Additionally, the need for user interaction means attackers may attempt phishing or other social engineering campaigns targeting administrators, increasing the risk profile. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread abuse occurs.

1. Monitor for and apply official patches or updates from the WC Vendors plugin developers as soon as they are released to address nonce validation issues. 2. In the absence of an immediate patch, implement custom nonce validation on the /vendor_dashboard/product/delete/ endpoint by modifying plugin code or using WordPress hooks to enforce proper request verification. 3. Educate site administrators and privileged users about the risks of clicking unsolicited links or visiting untrusted websites to reduce the risk of social engineering exploitation. 4. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious CSRF attempts targeting the vulnerable endpoint. 5. Regularly audit and monitor product deletion logs and vendor dashboards for unusual activity that may indicate exploitation attempts. 6. Restrict administrative access to trusted networks or VPNs to reduce exposure to external CSRF attacks. 7. Encourage the use of multi-factor authentication (MFA) for administrator accounts to add an additional layer of security against account compromise that could facilitate exploitation.