CVE-2025-12039
BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to retrieve the output of phpinfo().
| CWE | CWE-200 |
| Vendor | devsmip |
| Product | bigbuy dropshipping connector for woocommerce |
| Published | Nov 21, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for devsmip bigbuy dropshipping connector for woocommerce
Be the first to know when new medium vulnerabilities affecting devsmip bigbuy dropshipping connector for woocommerce are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
devsmip / BigBuy Dropshipping Connector for WooCommerce
0 โค 2.0.5
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3d5a5-4673-41e7-9868-99699852f330?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bigbuy-wc-dropshipping-connector/tags/2.0.5/src/Controller/ApiController.php#L225 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/bigbuy-wc-dropshipping-connector/tags/2.0.5/src/Controller/ApiController.php#L260
Credits
Jarno Vos