CVE-2025-12115
BaseFortify
Publication date: 2025-10-31
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpc_name_your_price | plugin | 2.2.0 |
| wpc_name_your_price | plugin | 2.1.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WPC Name Your Price for WooCommerce plugin allows unauthenticated attackers to purchase products at prices lower than intended. This happens because the plugin does not properly disable the ability to name a custom price when this feature is disabled for a product. Essentially, attackers can bypass restrictions and set unauthorized custom prices, leading to unauthorized price alterations. [2]
How can this vulnerability impact me? :
This vulnerability can lead to financial loss as attackers can buy products at prices less than they should be able to pay. It undermines the pricing integrity of the WooCommerce store using the affected plugin, potentially causing revenue loss and affecting business operations. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WPC Name Your Price plugin version is 2.1.9 or earlier, as these versions are vulnerable. You can verify the plugin version installed on your WordPress site by running the following WP-CLI command: `wp plugin list --status=active | grep wpc-name-your-price`. Additionally, monitoring HTTP requests to the WooCommerce product purchase endpoints for unusual price parameters or attempts to submit custom prices when the feature is disabled may help detect exploitation attempts. However, no specific detection commands or signatures are provided in the available resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WPC Name Your Price plugin to version 2.2.0 or later, as this version contains the security fix addressing the vulnerability. The update improves validation of product eligibility for custom pricing, sanitizes user input to prevent negative or invalid prices, and enforces product status checks to disable unauthorized price naming. Until the update is applied, consider disabling the plugin or restricting access to the custom price feature to trusted users only. [2]