Description
The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server.
Published: 2025-12-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Assess Impact
AI Analysis

Impact

The g-FFL Cockpit plugin for WordPress allows unauthenticated callers to access the /server_status REST API endpoint without performing any capability checks. This omission leads to a Sensitive Information Exposure flaw, enabling attackers to obtain server‑level details such as operating system, PHP configuration, and possibly file paths. The weakness is identified as CWE‑862, a missing authorization issue, and results in confidentiality loss rather than code execution or denial of service.

Affected Systems

The vulnerability affects the g‑FFL Cockpit plugin from garidium, affecting all installed releases up to and including version 1.7.1. The plugin is distributed as a WordPress plugin and relies on the WordPress REST API.

Risk and Exploitability

The CVSS score of 5.3 classifies the flaw as medium severity. With an EPSS score of less than 1 % and no listing in CISA KEV, the likelihood of real‑world exploitation is low, yet the impact on confidentiality can be significant if the server details are leveraged for further attacks. Attackers likely exploit the flaw by sending unauthenticated HTTP requests to the /server_status endpoint, requiring no special privileges or user interaction.

Generated by OpenCVE AI on April 27, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the g-FFL Cockpit plugin to the newest release from garidium
  • If no update is available, restrict access to the /server_status endpoint by implementing authentication checks or disabling the endpoint via the plugin’s configuration or a server‑level firewall rule.
  • Monitor incoming traffic to the /server_status endpoint for unexpected or unauthenticated requests and log such activity for further investigation.

Generated by OpenCVE AI on April 27, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server.
Title g-FFL Cockpit <= 1.7.1 - Missing Authorization to Unauthenticated Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:43.022Z

Reserved: 2025-11-04T21:24:44.906Z

Link: CVE-2025-12721

cve-icon Vulnrichment

Updated: 2025-12-08T20:58:12.425Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T06:15:50.900

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:45:15Z

Weaknesses