d0n601/CVE-2025-12720

Releases0

g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-12720 ↗	Dec 6, 2025Saturday, 6 December 2025, 06:15	5.3 MEDIUM	—
The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products.