CVE-2025-12087 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Wishlist and Save for later for Woocommerce plugin for WordPress. The vulnerability exists in all versions up to 1.1.22 and is triggered via the 'awwlm_remove_added_wishlist_page' AJAX action. This action fails to properly validate a user-controlled key parameter, leading to an Insecure Direct Object Reference (IDOR) condition. As a result, authenticated users with Subscriber-level privileges or higher can manipulate the key to delete wishlist items from other users’ wishlists without proper authorization. The flaw does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality and availability but low complexity and no user interaction required. No patches or fixes have been published at the time of disclosure, and no known exploits are reported in the wild. This vulnerability undermines data integrity by allowing unauthorized modification of user-specific data, potentially damaging user trust and e-commerce functionality. The plugin is widely used in WordPress WooCommerce environments, which are prevalent in many European e-commerce sites.

For European organizations, this vulnerability poses a risk primarily to the integrity of customer data within e-commerce platforms using the affected plugin. Unauthorized deletion of wishlist items can degrade user experience, erode customer trust, and potentially impact sales if customers lose saved items. While the vulnerability does not expose sensitive personal information or affect system availability, the ability for low-privileged users to manipulate other users’ data could be leveraged in targeted attacks or combined with other vulnerabilities for broader impact. Organizations relying on WooCommerce for online retail in Europe may face reputational damage and customer dissatisfaction. The risk is heightened for businesses with large user bases or those in competitive markets where customer retention is critical. Additionally, regulatory frameworks such as GDPR emphasize data integrity and protection, so unauthorized data manipulation could have compliance implications if it leads to customer complaints or data handling issues.

1. Immediately restrict Subscriber-level user permissions to the minimum necessary and review user roles to limit access to wishlist management features. 2. Implement server-side validation and authorization checks on all AJAX endpoints, especially those handling user-controlled keys or identifiers. 3. Monitor and log AJAX requests related to wishlist modifications to detect suspicious activity or unauthorized access attempts. 4. Apply any vendor patches or updates as soon as they become available; if no patch exists, consider temporarily disabling the affected plugin or the vulnerable functionality. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous requests targeting the vulnerable AJAX action. 6. Educate site administrators on the risk and encourage regular plugin updates and security audits. 7. Conduct penetration testing focusing on IDOR and authorization bypass scenarios in e-commerce workflows. 8. Consider implementing multi-factor authentication for user accounts to reduce risk of compromised credentials being used to exploit the vulnerability.