Description
The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data.
Published: 2025-12-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass allowing tracking data modification
Action: Immediate Patch
AI Analysis

Impact

The EPROLO Dropshipping plugin for WordPress suffers from a missing capability check on two AJAX endpoints, wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data, in all releases through 2.3.1. This defect lets an authenticated user with the Subscriber role or higher modify or delete shipping‑tracking records tied to orders. The vulnerability therefore represents a data integrity and authorization bypass; attackers can alter or remove shipping details, potentially disrupting fulfillment processes and eroding customer confidence.

Affected Systems

The flaw affects WordPress sites that have installed the EPROLO Dropshipping plugin from the paulepro2019 project, specifically all versions up to and including 2.3.1. Sites running this plugin, regardless of additional themes or plugins, are susceptible to the described data‑tamper attack.

Risk and Exploitability

Scored 4.3 on the CVSS scale, the issue carries a low exploitation probability with an EPSS score of less than 1%. It is not currently listed in CISA’s KEV catalog. Because the flaw requires an authenticated user with at least Subscriber privileges, the attack vector is limited to legitimate logins or user credential compromise. An attacker could use standard AJAX calls to the exposed endpoints without triggering additional security checks, making the exploitation relatively straightforward once the prerequisite role is achieved.

Generated by OpenCVE AI on April 22, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EPROLO Dropshipping plugin to version 2.3.2 or later, which includes a proper capability check on the affected AJAX endpoints.
  • If an immediate update is not possible, block access to wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data for Subscriber‑level users using role‑based access control or a custom filter.
  • Review and tighten the permissions granted to the Subscriber role, ensuring it does not possess higher capabilities than required for its intended use.

Generated by OpenCVE AI on April 22, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 05 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data.
Title EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:20.661Z

Reserved: 2025-10-23T19:20:51.823Z

Link: CVE-2025-12133

cve-icon Vulnrichment

Updated: 2025-12-05T19:25:45.029Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:05.540

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses