CVE-2025-12720

Published December 6th, 2025

View on NVD ↗

CVSS v3

5.3

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products.

d0n601/CVE-2025-12720

g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion

GitHub