CVE-2025-12133 identifies a missing authorization vulnerability (CWE-862) in the EPROLO Dropshipping plugin for WordPress, versions up to and including 2.3.1. The flaw resides in two AJAX endpoints: wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data, which lack proper capability checks. This allows any authenticated user with at least Subscriber privileges to invoke these endpoints and modify or delete tracking data associated with dropshipping orders. Since WordPress Subscriber roles are low-privilege by default, this broadens the attack surface significantly. The vulnerability affects data integrity but does not expose confidential information or cause denial of service. The CVSS 3.1 base score is 4.3 (medium), reflecting network exploitability with low complexity, requiring authentication but no user interaction, and limited impact on integrity only. No patches or fixes have been published yet, and no known exploits are reported in the wild. The vulnerability could be leveraged by malicious insiders or compromised low-privilege accounts to disrupt order tracking, potentially causing logistical errors or customer dissatisfaction. Given the plugin’s role in managing dropshipping logistics, integrity of tracking data is critical for supply chain reliability. Organizations using this plugin should audit user roles, restrict access, and monitor AJAX endpoint usage. Since the vulnerability is present in all versions up to 2.3.1, upgrading or applying vendor fixes when available is essential.

For European organizations, this vulnerability primarily threatens the integrity of dropshipping tracking data, which can disrupt order fulfillment and logistics operations. While it does not compromise confidentiality or availability, unauthorized modification or deletion of tracking information can lead to shipment errors, delayed deliveries, and customer dissatisfaction. This could damage brand reputation and incur financial losses, especially for e-commerce businesses relying heavily on dropshipping models. Attackers with low-level access could manipulate tracking data to cover fraudulent activities or sabotage supply chains. The impact is more pronounced in sectors with complex logistics or high transaction volumes. Since the vulnerability requires authenticated access, organizations with weak user management or exposed subscriber accounts are at higher risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code could emerge. European companies using WordPress with the EPROLO Dropshipping plugin should consider this vulnerability a moderate operational risk that warrants prompt mitigation to maintain supply chain integrity.

1. Immediately audit and restrict WordPress user roles to ensure only trusted users have Subscriber-level or higher access, minimizing the attack surface. 2. Implement strict access controls on the EPROLO Dropshipping plugin endpoints by customizing capability checks or using security plugins that enforce role-based restrictions on AJAX calls. 3. Monitor WordPress logs and web server access logs for unusual or unauthorized calls to wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data endpoints. 4. Disable or restrict the plugin temporarily if possible until a vendor patch is released. 5. Keep WordPress core and all plugins updated; apply vendor patches for EPROLO Dropshipping promptly once available. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting these endpoints. 7. Educate administrators and users on the risks of low-privilege account compromise and enforce strong authentication policies. 8. Consider implementing multi-factor authentication (MFA) for all WordPress users to reduce the risk of account takeover. 9. Regularly back up tracking data and order information to enable recovery in case of data tampering. 10. Engage in proactive vulnerability scanning and penetration testing focused on WordPress plugins and AJAX endpoints.