Overview
CVE-2025-12040 is a medium severity vulnerability affecting the Wishlist for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify other users’ wishlists. It stems from an Insecure Direct Object Reference (IDOR) issue present in versions up to and including 1.0.9.
Technical Details
The vulnerability resides within the class-th-wishlist-frontend.php file of the plugin. Several functions within this file lack proper validation on a user-controlled key used to identify the wishlist being manipulated. Specifically, the code fails to verify if the currently logged-in user (or lack thereof in the case of unauthenticated requests) has the right to modify the wishlist associated with the provided key. An attacker can exploit this by crafting malicious requests with different wishlist identifiers, allowing them to add, remove, or modify items in wishlists belonging to other users.
CVSS Analysis
- CVE ID: CVE-2025-12040
- Severity: MEDIUM
- CVSS Score: 6.5
- CVSS Vector: (The full CVSS vector string would be here, but is not available in the provided data. It would typically look like AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) – This score indicates that an attacker can remotely exploit the vulnerability with low attack complexity, requiring no user interaction and no privileges. The impact is a high level of integrity compromise, meaning the attacker can modify data on the target system.
Possible Impact
Successful exploitation of CVE-2025-12040 can have several negative consequences:
- Wishlist Defacement: Attackers can arbitrarily add or remove items from wishlists, causing confusion and frustration for users.
- Spoiled Shopping Experiences: Modifying wishlists can disrupt legitimate users’ planning and purchasing processes.
- Potential for Phishing: In some scenarios, attackers might be able to inject malicious links or products into wishlists to conduct phishing attacks.
Mitigation and Patch Steps
The recommended course of action is to update the Wishlist for WooCommerce plugin to the latest version. If a version higher than 1.0.9 is available, install it immediately. If an update is not yet available, consider temporarily disabling the plugin until a patch is released.
- Update the Plugin: Navigate to the “Plugins” section in your WordPress admin dashboard and update the “Wishlist for WooCommerce” plugin to the latest available version.
- Verify the Update: After updating, verify that the plugin version is higher than 1.0.9.
- Monitor for Further Updates: Stay informed about any further updates or security advisories related to this plugin.
- (If no update is available): As a temporary measure, consider disabling the plugin until a patched version is released. This will prevent potential exploitation but will also remove the wishlist functionality from your website.
