Overview
CVE-2025-12358 is a MEDIUM severity Cross-Site Request Forgery (CSRF) vulnerability found in the ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress. This vulnerability affects all versions up to and including 4.8.5. It allows unauthenticated attackers to add or remove products from a user’s wishlist without their consent, potentially manipulating customer data and impacting the integrity of your online store.
Technical Details
The vulnerability stems from two key issues:
- Missing Nonce Validation in “post_add_to_list” function: The “post_add_to_list” function, responsible for adding or removing items from a wishlist, lacks proper nonce validation. Nonces are cryptographic tokens used to verify that a request originates from a legitimate source within the application. Without it, an attacker can forge requests.
- Incorrect Permissions Callback in “Api/init” function: The “Api/init” function uses an incorrect permissions callback, allowing unauthenticated users to access and manipulate wishlist data through API endpoints that should be protected.
Exploitation requires tricking a logged-in user into performing an action, such as clicking a malicious link. This link would then execute the forged request on the user’s behalf, adding or removing products from their wishlist without their knowledge.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12358 is 4.3 (MEDIUM). The CVSS vector is likely AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This score reflects the following:
- Attack Vector (AV:N): Network – The vulnerability can be exploited over the network.
- Attack Complexity (AC:L): Low – The attack is relatively easy to execute.
- Privileges Required (PR:N): None – No privileges are required to exploit the vulnerability.
- User Interaction (UI:R): Required – User interaction is required (e.g., clicking a link).
- Scope (S:U): Unchanged – An exploited vulnerability can only affect resources managed by the same security authority.
- Confidentiality (C:N): None – There is no impact to confidentiality.
- Integrity (I:L): Low – There is a low impact to integrity.
- Availability (A:N): None – There is no impact to availability.
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Wishlist Manipulation: Attackers can arbitrarily add or remove products from a user’s wishlist.
- Data Corruption: Large-scale manipulation can corrupt wishlist data, leading to customer dissatisfaction.
- Reputational Damage: Customers may lose trust in your store if they suspect their data is being tampered with.
- Potential for Phishing: Attackers could add specific products to wishlists to trick users into visiting malicious sites or engaging in phishing scams.
Mitigation and Patch Steps
The recommended mitigation is to update the ShopEngine Elementor WooCommerce Builder Addon plugin to the latest version. This vulnerability has been patched in versions greater than 4.8.5.
- Update the Plugin: Log in to your WordPress admin dashboard and navigate to “Plugins” -> “Installed Plugins”. Find the ShopEngine plugin and click “Update Now”. If an update is not available directly, you may need to download the latest version from the WordPress plugin repository and manually install it.
- Verify the Update: After updating, verify that the plugin version is greater than 4.8.5 to ensure the patch is applied.
- Monitor for Suspicious Activity: Keep an eye on user wishlists for any unusual or unauthorized changes.
