CVE-2025-12091 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Search, Filters & Merchandising for WooCommerce plugin for WordPress, versions up to and including 3.0.63. The issue arises because the plugin fails to perform proper capability checks on the 'wcis_save_email' endpoint, which is responsible for saving email-related settings or data. This missing authorization check allows any authenticated user with at least Subscriber-level privileges to invoke this endpoint and deactivate the plugin. Since Subscriber-level access is typically granted to users with minimal permissions, this vulnerability significantly lowers the bar for exploitation. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The CVSS 3.1 base score is 4.3, reflecting a medium severity primarily due to the impact on integrity (I:L) without affecting confidentiality or availability. The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component. No known exploits have been reported in the wild, and no official patches have been published at the time of this analysis. The vulnerability could be leveraged by attackers who have gained low-level access to a WordPress site to disrupt e-commerce operations by disabling critical search and filtering functionality, potentially impacting customer experience and sales. The plugin is widely used in WooCommerce-based online stores, which are prevalent in many European countries. The lack of authorization checks represents a fundamental security flaw that can be exploited to undermine the integrity of the e-commerce platform.

For European organizations operating WooCommerce-based e-commerce sites, this vulnerability poses a risk of unauthorized modification of plugin state, specifically allowing attackers with minimal authenticated privileges to deactivate the Search, Filters & Merchandising plugin. This can lead to degraded user experience, loss of critical search and filtering capabilities, and potential revenue loss due to impaired site functionality. While it does not directly expose sensitive data or cause denial of service, the integrity compromise can facilitate further attacks or operational disruptions. Retailers relying heavily on this plugin for merchandising and customer navigation may face reputational damage and customer dissatisfaction. Additionally, attackers could use this as a foothold to escalate privileges or deploy additional malicious payloads. The medium severity rating reflects the moderate impact on business operations and the relatively low complexity of exploitation. Organizations with large e-commerce footprints in Europe, especially those with many users having Subscriber-level access (e.g., registered customers or contributors), are at higher risk. The vulnerability also highlights the importance of strict role-based access controls and monitoring of user activities within WordPress environments.

Until an official patch is released, European organizations should implement the following mitigations: 1) Restrict access to the 'wcis_save_email' endpoint by implementing web application firewall (WAF) rules that block or limit requests to this endpoint from users without elevated privileges. 2) Audit and minimize the number of users with Subscriber-level or higher access, ensuring that only trusted users have authenticated access to the WordPress backend. 3) Employ strict role-based access control policies and regularly review user permissions to prevent privilege abuse. 4) Monitor logs for unusual activity related to the vulnerable endpoint or plugin deactivation events to detect potential exploitation attempts early. 5) Consider temporarily disabling the plugin if it is not critical to operations or if the risk of exploitation outweighs its benefits. 6) Stay informed about vendor updates and apply patches immediately once they become available. 7) Harden the WordPress environment by disabling unnecessary REST API endpoints or restricting them to trusted IPs where feasible. 8) Educate site administrators and users about the risks of unauthorized access and encourage strong authentication mechanisms such as multi-factor authentication (MFA).