CVE-2025-12721

Vulnerability

Details

The g-FFL Cockpit plugin for WordPress, versions up to and including 1.7.1, contains a missing authorization vulnerability in its /server_status REST API endpoint. The endpoint is registered with permission_callback => '__return_true', meaning it does not require any authentication or capability checks [1][2]. This allows any unauthenticated visitor to access the endpoint and retrieve sensitive server information.

Exploitation

An attacker can exploit this vulnerability by sending a simple GET request to https://example.com/wp-json/fflcockpit/v1/server_status (replacing example.com with the target site) [1][2]. No special privileges or prior authentication are needed; the endpoint is publicly accessible. The response includes a wealth of data such as PHP version, operating system, memory usage, PHP configuration, database details, active plugins with versions, and more.

Impact

The exposed information can aid attackers in reconnaissance, allowing them to identify vulnerable plugin versions, outdated software, or misconfigurations. This knowledge could be leveraged for targeted attacks, such as exploiting known vulnerabilities in specific plugin versions or leveraging database credentials. The disclosure of internal server details increases the attack surface and risk of further compromise.

Mitigation

As of the publication date, the vendor has not released a patched version. Users are advised to disable or remove the plugin until a fix is available, or implement additional access controls to restrict the endpoint [1][2].