CVE-2025-12133 identifies a missing authorization vulnerability (CWE-862) in the EPROLO Dropshipping plugin for WordPress, specifically affecting all versions up to and including 2.3.1. The flaw exists in the AJAX endpoints wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data, which lack proper capability checks. This allows any authenticated user with Subscriber-level privileges or higher to invoke these endpoints and modify or delete tracking data associated with orders. The vulnerability does not require elevated privileges beyond Subscriber, nor does it require user interaction beyond authentication. The CVSS 3.1 base score is 4.3 (medium), reflecting the low complexity of exploitation (low attack complexity), network attack vector, and limited impact on integrity without affecting confidentiality or availability. Since tracking data integrity is critical for order fulfillment and customer satisfaction, unauthorized modifications could lead to operational disruptions or customer disputes. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress-based e-commerce environments, making this a relevant threat for online retailers using EPROLO Dropshipping.

For European organizations, this vulnerability could undermine the integrity of order tracking data, potentially causing shipment errors, customer dissatisfaction, and reputational damage. While it does not expose sensitive data or disrupt service availability, unauthorized modification or deletion of tracking information can lead to operational inefficiencies and increased support costs. Attackers with low-level access could manipulate shipment statuses, possibly enabling fraud or evasion of accountability. This is particularly impactful for mid to large e-commerce businesses relying on accurate dropshipping logistics. Additionally, regulatory compliance related to consumer protection and data accuracy (such as GDPR principles on data integrity) could be indirectly affected if tracking data is manipulated. The vulnerability’s exploitation requires authentication, so risks are higher in environments with weak user access controls or where Subscriber accounts are easily compromised or created.

European organizations should immediately audit user roles and permissions within their WordPress installations to ensure that Subscriber-level accounts are tightly controlled and monitored. Restrict access to the vulnerable AJAX endpoints by implementing custom capability checks or using security plugins that can enforce granular access control. Monitor logs for unusual activity related to wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data calls. Since no official patch is currently available, consider temporarily disabling or restricting the EPROLO Dropshipping plugin if feasible. Engage with the plugin vendor for updates and apply patches promptly once released. Additionally, implement multi-factor authentication (MFA) to reduce the risk of account compromise. Regularly back up tracking data and e-commerce configurations to enable recovery from unauthorized modifications. Finally, educate staff about the risks of low-privilege account misuse and enforce strong password policies.