CVE-2025-12040 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Wishlist for WooCommerce plugin developed by themehunk for WordPress. The vulnerability exists in all versions up to and including 1.0.9. The root cause is an insecure direct object reference (IDOR) due to insufficient validation of a user-controlled key parameter in several functions within the class-th-wishlist-frontend.php file. This lack of proper authorization checks allows unauthenticated attackers to manipulate the wishlist data of other users by crafting requests with arbitrary keys. The vulnerability impacts the confidentiality and integrity of user wishlists, potentially exposing sensitive user preferences or enabling malicious modification of wishlist contents. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects the plugin’s core functionality that integrates with WooCommerce, a widely used e-commerce platform on WordPress, making it relevant to many online retail websites.

The primary impact of this vulnerability is unauthorized access and modification of user wishlists on affected WooCommerce sites. This can lead to privacy violations as attackers can view other users’ saved products, potentially revealing purchasing intentions or personal preferences. Integrity is also compromised since attackers can alter wishlist contents, which may disrupt user experience or be leveraged in social engineering or fraud schemes. While the vulnerability does not directly affect availability, the trustworthiness of the e-commerce platform is undermined. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory scrutiny if personal data exposure is deemed significant. Since WooCommerce powers a large number of online stores globally, the scope of affected systems is broad. Exploitation requires no authentication or user interaction, increasing the risk of automated attacks or mass exploitation attempts once public details become widespread.

Organizations should immediately verify if they use the Wishlist for WooCommerce plugin by themehunk and identify the plugin version. Since no official patch is currently linked, temporary mitigations include disabling the wishlist functionality or restricting access to wishlist-related endpoints via web application firewalls (WAF) or custom access controls. Implementing strict input validation and authorization checks on the user-controlled key parameter in the plugin’s code is critical; developers should ensure that wishlist modifications are only permitted for authenticated users and only on their own data. Monitoring web server logs for suspicious requests targeting wishlist endpoints can help detect exploitation attempts. Site administrators should keep all WordPress plugins updated and subscribe to vendor security advisories for timely patch releases. Additionally, consider isolating or sandboxing e-commerce components to limit the blast radius of such vulnerabilities. Employing security plugins that enforce role-based access control and rate limiting can further reduce risk.