WordPress Plugin Vulnerabilities

WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors < 2.6.4.1 - Cross-Site Request Forgery to Vendor Product Deletion

Description

The WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wc-vendors
Fixed in 2.6.4.1

References

CVE
CVE-2025-12130
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jonas Benjamin Friedli
Verified
No
WPVDB ID
daf09b27-65f7-414c-a82a-29156d89ab84

Timeline

Publicly Published
2025-12-04 (about 5 months ago)
Added
2025-12-04 (about 5 months ago)
Last Updated
2025-12-05 (about 5 months ago)

Other

Published
Title
Published
2025-12-15
Title
Simple Folio < 1.1.1 - Cross-Site Request Forgery
Published
2025-03-11
Title
FTP Sync <= 1.1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-02-16
Title
WP-PManager <= 1.2 - Category Deletion via CSRF
Published
2025-07-01
Title
Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate
Published
2023-03-16
Title
WP Shortcode by MyThemeShop < 1.4.17 - CSRF