CVE-2025-12133
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eprolo | dropshipping | * |
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the EPROLO Dropshipping plugin for WordPress allows authenticated users with Subscriber-level access or higher to modify and delete tracking data without proper authorization. This is due to missing capability checks on specific AJAX endpoints (wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data) in versions up to 2.3.1.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level access to alter or delete tracking data, potentially disrupting order tracking and logistics information. This could lead to data integrity issues and affect business operations relying on accurate tracking data.
What immediate steps should I take to mitigate this vulnerability?
The EPROLO Dropshipping plugin has been temporarily closed as of December 3, 2025, pending a full security and functionality review. Immediate mitigation steps include disabling or uninstalling the EPROLO Dropshipping plugin (version 2.3.1 and earlier) from your WordPress site to prevent exploitation. Additionally, monitor for updates or patches from the plugin developers once the review is complete before re-enabling the plugin. [1]