CVE-2025-12087 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Wishlist and Save for later for Woocommerce plugin for WordPress. The flaw exists in all versions up to and including 1.1.22. The vulnerability arises from insufficient validation of a user-controlled key parameter in the AJAX action 'awwlm_remove_added_wishlist_page'. This AJAX endpoint is intended to allow users to remove items from their own wishlists. However, due to missing validation, an authenticated attacker with at least Subscriber-level privileges can manipulate the key parameter to target and delete wishlist items belonging to other users. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability, enabling unauthorized modification of other users' wishlist data. The attack vector is network-based and does not require user interaction beyond authentication. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low complexity and no impact on confidentiality or availability, but a partial impact on integrity. No patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability could be leveraged to disrupt user experience, cause confusion, or damage trust in e-commerce platforms relying on this plugin.

For European organizations operating e-commerce websites using WordPress with the affected Wishlist and Save for later for Woocommerce plugin, this vulnerability poses a risk to data integrity and user trust. Attackers with low-level authenticated access (Subscriber or above) can delete wishlist items of other users, potentially leading to customer dissatisfaction and reputational damage. While the vulnerability does not expose sensitive data or disrupt service availability, unauthorized modification of user data can undermine confidence in the platform's security. In sectors with strict data protection regulations such as GDPR, failure to secure user data integrity could lead to compliance scrutiny if exploited. Additionally, attackers might use this flaw as part of broader attacks to escalate privileges or conduct targeted harassment. The impact is more pronounced for organizations with large user bases or those relying heavily on wishlist features for marketing and sales strategies.

European organizations should immediately audit their WordPress installations to identify the presence of the affected Wishlist and Save for later for Woocommerce plugin versions up to 1.1.22. Until an official patch is released, administrators should consider disabling the wishlist functionality or restricting access to the AJAX endpoint via web application firewall (WAF) rules that validate user permissions and parameters. Implementing strict server-side validation to ensure that users can only modify their own wishlist items is critical. Monitoring logs for suspicious AJAX requests targeting 'awwlm_remove_added_wishlist_page' can help detect exploitation attempts. Organizations should also enforce the principle of least privilege by limiting Subscriber-level accounts and reviewing user roles regularly. Promptly applying any future patches from the vendor is essential. Additionally, informing users about potential risks and encouraging them to report anomalies can aid in early detection.