CVE-2025-12427
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yith | woocommerce_wishlist | 4.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the YITH WooCommerce Wishlist plugin for WordPress is an Insecure Direct Object Reference (IDOR) affecting all versions up to 4.10.0. It occurs because the REST API endpoint and AJAX handler do not properly validate user-controlled keys. This allows unauthenticated attackers to discover any user's wishlist token ID and rename the victim's wishlist without authorization.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to rename wishlists of other users without permission, which can lead to integrity issues. It can be exploited for defacement, social engineering attacks, mass tampering, and profiling on multi-user stores.