Overview
CVE-2025-12091 is a medium-severity vulnerability affecting the “Search, Filters & Merchandising for WooCommerce” plugin for WordPress. This plugin, also known as “Instant Search for WooCommerce”, is vulnerable to unauthorized data modification due to a missing capability check on the wcis_save_email endpoint. This flaw allows authenticated attackers with Subscriber-level access or higher to deactivate the plugin, potentially disrupting e-commerce functionality.
Published on 2025-12-06, this vulnerability highlights the importance of proper access control within WordPress plugins.
Technical Details
The vulnerability resides in the wcis_save_email endpoint of the plugin. Versions up to and including 3.0.63 lack sufficient capability checks before allowing modifications. An authenticated user, even with minimal privileges like a Subscriber role, can exploit this by sending a crafted request to the wcis_save_email endpoint. This request can be used to manipulate plugin settings, ultimately leading to deactivation. The specific vulnerable code is located around line 1074 in public/wcis_plugin.php.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 4.3
The CVSS score of 4.3 indicates a moderate level of concern. The exploit requires authentication, but the low privileges required for exploitation (Subscriber role) increase the potential attack surface. The impact is primarily on availability, as the plugin deactivation can disrupt website functionality.
Possible Impact
Successful exploitation of CVE-2025-12091 can lead to the following consequences:
- Plugin Deactivation: The attacker can deactivate the “Search, Filters & Merchandising for WooCommerce” plugin.
- Disrupted Search Functionality: Deactivating the plugin disables advanced search and filtering capabilities on the WooCommerce store.
- Reduced Sales: Poor search functionality can lead to a negative user experience, potentially decreasing sales and revenue.
- Website Defacement (Indirect): While not direct, the disruption caused by the plugin deactivation can be considered a form of defacement.
Mitigation and Patch Steps
The vulnerability has been addressed in version 3.0.64 of the “Search, Filters & Merchandising for WooCommerce” plugin. The following steps are recommended:
- Update the Plugin: Immediately update the “Search, Filters & Merchandising for WooCommerce” plugin to version 3.0.64 or later through the WordPress admin dashboard.
- Monitor User Roles: Review and restrict user roles to ensure that users only have the necessary permissions.
- Implement a Web Application Firewall (WAF): A WAF can help detect and block malicious requests targeting the
wcis_save_emailendpoint, providing an additional layer of security.