CVE-2025-12087 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Wishlist and Save for later for Woocommerce plugin for WordPress. The flaw exists in all versions up to and including 1.1.22 and is caused by an insecure direct object reference (IDOR) vulnerability in the AJAX action 'awwlm_remove_added_wishlist_page'. Specifically, the plugin fails to validate the ownership or authorization of the user-controlled key parameter used to identify wishlist items. This lack of validation allows any authenticated user with at least Subscriber-level privileges to manipulate the key and delete wishlist entries belonging to other users. The vulnerability does not require elevated privileges beyond Subscriber, nor does it require user interaction beyond authentication. The impact is limited to integrity, as attackers can remove wishlist items but cannot access or alter other sensitive data or disrupt service availability. The CVSS 3.1 base score is 4.3 (medium), reflecting low complexity of attack and limited impact scope. No public exploits have been reported yet, but the vulnerability poses a risk to the integrity of user data on affected WordPress e-commerce sites. The root cause is insufficient authorization checks on user-supplied input in the plugin's AJAX endpoint.

The primary impact of CVE-2025-12087 is unauthorized modification of user wishlist data on WordPress sites using the affected plugin. Attackers with Subscriber-level access can delete wishlist items belonging to other users, potentially causing user dissatisfaction, loss of user trust, and disruption of personalized shopping experiences. While the vulnerability does not expose confidential information or allow privilege escalation, it undermines data integrity and could be leveraged as part of broader attacks targeting user accounts or site reputation. For e-commerce businesses, this could translate into negative customer experiences and potential revenue loss if users rely on wishlists for purchase decisions. The scope is limited to sites running the vulnerable plugin versions, but given the popularity of WooCommerce and WordPress, a significant number of sites could be affected globally. No availability impact or remote unauthenticated exploitation is possible, reducing the overall severity but still necessitating remediation.

To mitigate CVE-2025-12087, site administrators should immediately update the Wishlist and Save for later for Woocommerce plugin to a patched version once available from the vendor. Until a patch is released, administrators can implement the following specific measures: 1) Restrict AJAX endpoint access by adding server-side checks to verify that the authenticated user owns the wishlist item before allowing deletion. 2) Employ Web Application Firewall (WAF) rules to detect and block suspicious requests attempting to manipulate the user-controlled key parameter. 3) Limit Subscriber-level user permissions if possible, or monitor user activity logs for unusual deletion patterns. 4) Conduct a thorough audit of wishlist-related functionality to ensure proper authorization checks are in place. 5) Educate users about potential risks and encourage reporting of unexpected wishlist changes. These targeted actions go beyond generic advice by focusing on access control enforcement and monitoring specific to the vulnerable plugin's functionality.