Cybersecurity Vulnerabilities

Critical Vulnerability: Unauthenticated Wishlist Manipulation in YITH WooCommerce Wishlist Plugin (CVE-2025-12777)

November 19, 2025 - By 

Overview

A critical security vulnerability, identified as CVE-2025-12777, has been discovered in the YITH WooCommerce Wishlist plugin for WordPress. This vulnerability affects all versions up to and including 4.10.0. It allows unauthenticated attackers to bypass authorization checks and potentially disclose wishlist tokens for any user, and consequently, delete items from those wishlists.

Technical Details

The vulnerability stems from two primary issues:

  • REST API Authorization Bypass: The plugin’s REST API endpoint /wp-json/yith/wishlist/v1/lists uses permission_callback => '__return_true', effectively bypassing any authorization checks. This allows unauthenticated users to access wishlist data. Specifically, the vulnerability exists in the following files:
  • AJAX Handler Missing Object-Level Authorization: The delete_item AJAX handler only verifies the nonce validity but lacks proper object-level authorization. When a wishlist page is shared (making the nonce visible), an attacker can exploit this missing authorization. The issue is located in:

By chaining these two vulnerabilities, an attacker can first retrieve a wishlist token via the REST API bypass, then use the exposed delete_item nonce on a shared wishlist page to remove items from that wishlist, due to the AJAX handler’s lack of authorization checks. The nonce exposure occurs on shared wishlist pages as seen here: class-yith-wcwl-frontend.php#L740

CVSS Analysis

The CVSS score for CVE-2025-12777 is 5.3 (Medium). This score reflects the potential for unauthorized data disclosure and modification by unauthenticated attackers. The CVSS vector string would likely include components indicating network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on integrity and confidentiality.

Possible Impact

Successful exploitation of this vulnerability could lead to the following:

  • Wishlist Data Disclosure: Attackers can retrieve wishlist contents for any user.
  • Unauthorized Wishlist Modification: Attackers can delete items from user wishlists, potentially disrupting their shopping experience and impacting sales.

Mitigation or Patch Steps

The vulnerability has been patched in later versions of the YITH WooCommerce Wishlist plugin. It is strongly recommended to update to the latest available version as soon as possible. Verify that the updated version includes proper authorization checks for the REST API endpoint and the AJAX delete_item handler.

The fix for this vulnerability can be reviewed at this changeset: YITH WooCommerce Wishlist Changeset.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *