CVE-2025-12133 is a vulnerability identified in the EPROLO Dropshipping plugin for WordPress, maintained by paulepro2019. The flaw is categorized under CWE-862 (Missing Authorization) and affects all versions up to and including 2.3.1. Specifically, the vulnerability exists because the plugin fails to perform proper capability checks on two AJAX endpoints: wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data. These endpoints handle requests to delete and save tracking data related to dropshipping orders. Due to the missing authorization, any authenticated user with at least Subscriber-level privileges can invoke these endpoints to modify or delete tracking information without appropriate permissions. This can lead to unauthorized data tampering within the plugin’s tracking system. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium), reflecting low complexity and limited impact on confidentiality and availability but a direct impact on data integrity. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on October 23, 2025, and published on December 5, 2025. Given the widespread use of WordPress and the popularity of dropshipping plugins, this vulnerability poses a moderate risk to e-commerce sites using EPROLO Dropshipping.

The primary impact of CVE-2025-12133 is unauthorized modification and deletion of tracking data within the EPROLO Dropshipping plugin. This compromises the integrity of order tracking information, potentially leading to operational disruptions, customer dissatisfaction, and loss of trust. While confidentiality and availability are not directly affected, inaccurate or missing tracking data can cause shipment errors, disputes, and financial losses. Attackers with Subscriber-level access, which is a low-privilege role, can exploit this vulnerability, increasing the risk from insider threats or compromised low-level accounts. Organizations relying on this plugin for order fulfillment and customer communication may experience degraded service quality and reputational damage. The vulnerability could also be leveraged as part of a broader attack chain to manipulate order processing or cover fraudulent activities. Although no exploits are known in the wild, the ease of exploitation and the low privilege required make timely mitigation important for affected sites worldwide.

To mitigate CVE-2025-12133, organizations should first verify if they are using the EPROLO Dropshipping plugin version 2.3.1 or earlier. Immediate steps include restricting access to the affected AJAX endpoints by implementing custom capability checks or access controls at the web server or application firewall level. Administrators can also temporarily disable the plugin if feasible until a vendor patch is released. Monitoring logs for unusual activity on wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data endpoints can help detect exploitation attempts. It is critical to enforce strong authentication and limit Subscriber-level account creation or usage, as these accounts can exploit the vulnerability. Organizations should subscribe to vendor updates and apply official patches promptly once available. Additionally, conducting regular security audits of WordPress plugins and minimizing the number of installed plugins reduces the attack surface. Employing a Web Application Firewall (WAF) with custom rules to block unauthorized AJAX requests targeting these endpoints can provide an effective interim defense.