CVE-2025-12720 identifies an improper authorization vulnerability (CWE-285) in the garidium g-FFL Cockpit plugin for WordPress, present in all versions up to and including 1.7.1. The root cause is the reliance on IP-based authorization within the handle_enqueue_only() function, which can be trivially spoofed by attackers. This flaw allows unauthenticated adversaries to bypass authorization controls and delete arbitrary products managed by the plugin. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The impact is primarily on data integrity, as attackers can modify or delete product data, potentially disrupting e-commerce operations or causing financial and reputational damage. The CVSS v3.1 score of 5.3 reflects a medium severity rating, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The plugin’s widespread use in WordPress-based e-commerce sites makes this a relevant threat for many organizations.

The vulnerability enables unauthorized deletion of products, directly impacting data integrity and potentially disrupting business operations, especially for e-commerce sites relying on the garidium g-FFL Cockpit plugin. Loss or manipulation of product data can lead to financial losses, customer dissatisfaction, and damage to brand reputation. Since the exploit requires no authentication or user interaction and can be performed remotely, the attack surface is broad. Organizations with high transaction volumes or critical product catalogs are particularly vulnerable. Although confidentiality and availability impacts are minimal, the integrity compromise alone can have severe operational consequences. The absence of known exploits in the wild currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts.

Organizations should immediately verify if they use the garidium g-FFL Cockpit plugin, especially versions up to 1.7.1, and seek updates or patches from the vendor once available. In the absence of an official patch, administrators should implement network-level controls to restrict access to the plugin’s endpoints, such as IP whitelisting or web application firewall (WAF) rules that detect and block spoofed IP addresses. Monitoring and logging access to the plugin’s functions can help detect suspicious activity. Additionally, applying the principle of least privilege to WordPress user roles and regularly backing up product data can reduce the impact of potential exploitation. Security teams should also consider isolating the WordPress environment and employing intrusion detection systems to identify anomalous deletion attempts. Prompt vendor communication and participation in threat intelligence sharing communities are recommended to stay informed about patch releases and exploit developments.