Cybersecurity Vulnerabilities

CVE-2025-12427: Critical Vulnerability in YITH WooCommerce Wishlist Plugin – Wishlist Takeover

November 19, 2025 - By 

Overview

CVE-2025-12427 is a medium severity vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress. This vulnerability allows unauthenticated attackers to discover and manipulate any user’s wishlist, potentially leading to defacement, social engineering attacks, and data exfiltration.

This vulnerability exists in versions up to, and including, 4.10.0 of the plugin.

Technical Details

The vulnerability stems from an Insecure Direct Object Reference (IDOR) flaw in the plugin’s REST API endpoint and AJAX handler. Specifically, the plugin lacks sufficient validation on user-controlled keys when handling wishlist requests. This allows an unauthenticated attacker to:

  1. Discover any user’s wishlist token ID.
  2. Rename the victim’s wishlist without proper authorization.

The vulnerable code can be found in the following files:

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12427 is 5.3 (Medium).

This score reflects the following characteristics:

  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Scope: Unchanged (S:U)
  • Confidentiality Impact: None (C:N)
  • Integrity Impact: Low (I:L)
  • Availability Impact: None (A:N)

Possible Impact

Exploitation of this vulnerability can have several negative consequences:

  • Defacement: Attackers can rename wishlists to offensive or misleading titles, harming the store’s reputation.
  • Social Engineering Attacks: Manipulated wishlists could be used to trick users into clicking malicious links or providing sensitive information.
  • Mass Tampering: Attackers can systematically alter numerous wishlists, causing widespread disruption.
  • Profiling: Gathering wishlist token IDs enables attackers to correlate information about user preferences, potentially for targeted advertising or phishing campaigns.

Mitigation or Patch Steps

The recommended mitigation is to update the YITH WooCommerce Wishlist plugin to the latest version. The vulnerability has been patched in later versions. Refer to the changelog provided by YITH for details on the fix.

The fix was implemented in this changeset: YITH WooCommerce Wishlist Changelog

If you are unable to update immediately, consider temporarily disabling the wishlist functionality until an update can be applied.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *