CVE-2025-12720
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-06

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-06
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12720
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
woocommerce woocommerce *
wordpress g-ffl_cockpit *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The g-FFL Cockpit plugin for WordPress has a vulnerability in its handle_enqueue_only() function where IP-based authorization can be spoofed. This allows unauthenticated attackers to bypass security checks and delete arbitrary products.

Impact Analysis

This vulnerability can allow attackers who are not authenticated to delete arbitrary products from your WordPress site using the g-FFL Cockpit plugin, potentially causing data loss and disruption of your product listings.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the REST API endpoints `/wp-json/fflcockpit/v1/queue` and `/wp-json/fflcockpit/v1/process` that include spoofed HTTP headers such as `X-Forwarded-For` or `CF-Connecting-IP` set to the hardcoded IP address `3.212.185.187`. Detection can involve checking server logs or using curl commands to test if unauthorized deletion is possible by spoofing these headers. Example curl commands to test the vulnerability include sending a POST request to `/wp-json/fflcockpit/v1/queue` with the spoofed header and a JSON payload specifying product IDs to delete, followed by a POST request to `/wp-json/fflcockpit/v1/process` with the same spoofed header to trigger deletion. Monitoring for such requests or attempts to delete products via these endpoints with spoofed IP headers can help detect exploitation attempts. [1, 2]

Mitigation Strategies

Immediate mitigation steps include disabling or uninstalling the g-FFL Cockpit plugin version 1.7.1 or earlier until a patched version is available, as the vulnerability arises from improper IP-based authorization that can be spoofed. Additionally, restricting access to the REST API endpoints `/wp-json/fflcockpit/v1/queue` and `/wp-json/fflcockpit/v1/process` via firewall rules or web server configuration to trusted IPs can help prevent unauthorized access. Monitoring and blocking requests with spoofed `X-Forwarded-For` or `CF-Connecting-IP` headers matching the hardcoded IP address (`3.212.185.187`) is also recommended. Applying any official security updates or patches released by the plugin maintainers as soon as they become available is crucial. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart