CVE-2025-12777
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-19

Last updated on: 2025-11-19

Assigner: Wordfence

Description
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback => '__return_true') and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler's missing object-level authorization check.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-19
Last Modified
2025-11-19
Generated
2026-06-16
AI Q&A
2025-11-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12777
EUVD
EUVD-2025-198126
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yith woocommerce_wishlist 4.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the YITH WooCommerce Wishlist plugin for WordPress allows unauthorized users to bypass authorization checks on the REST API endpoint /wp-json/yith/wishlist/v1/lists and the AJAX delete_item handler. This happens because the plugin does not properly verify if a user is authorized to perform actions, using a permission callback that always returns true and only checking nonce validity without verifying object-level authorization. As a result, unauthenticated attackers can disclose wishlist tokens for any user and delete wishlist items by exploiting these flaws.

Impact Analysis

This vulnerability can allow unauthenticated attackers to access wishlist tokens of any user and delete wishlist items without proper authorization. This could lead to unauthorized modification or deletion of user data related to wishlists, potentially causing data loss or disruption of user experience on affected WordPress sites using the vulnerable plugin.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart