CVE-2025-12720 MEDIUM

CVE-2025-12720: g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion

Vendor Garidium

Product g-FFL Cockpit

Weakness CWE-285

Published December 6, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products.

Key dates

02Disclosure timeline

December 6, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-12720

Related vulnerabilities

CVE-2025-12720: g-FFL Cockpit <= 1.7.1 - Improper Authorization to Unauthenticated Product Deletion

01Description

02Disclosure timeline

03References

04Related CVE