cleantalk
Vulnerabilities and Security Researches

WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors, CVE-2025-12130

CVE, Research URL

CVE-2025-12130

Home page URL

Security reports for WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors

Application

WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors

Published on
Dec 05, 2025
Research Description
The WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.6.4.1.
Status
vulnerable
Previous vulnerability researches
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors (CVE-2025-49263) , Jun 15, 2025
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors (CVE-2025-12130) , Dec 11, 2025
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors (CVE-2023-48327) , Jun 06, 2024
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors (CVE-2023-0072) , Jun 06, 2024
WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors (CVE-2026-54838) , Jun 25, 2026
New vulnerability
Admin and Site Enhancements (ASE) , Jun 25, 2026
Advanced Google reCAPTCHA , Jun 25, 2026
Page Optimize , Jun 25, 2026
Image Optimizer by Elementor – Compress, Resize and Optimize Images , Jun 25, 2026
Facebook Chat Plugin – Live Chat Plugin for WordPress , Jun 25, 2026