CVE-2025-12091 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Search, Filters & Merchandising for WooCommerce plugin for WordPress, up to and including version 3.0.63. The issue arises because the plugin's 'wcis_save_email' endpoint lacks proper capability checks, allowing any authenticated user with Subscriber-level privileges or higher to invoke this endpoint and deactivate the plugin. This means that users who normally have minimal permissions can escalate their influence to disrupt plugin functionality without needing administrator rights. The vulnerability does not expose sensitive data (no confidentiality impact) nor does it cause denial of service or availability loss beyond the plugin deactivation (no availability impact). However, it compromises the integrity of the plugin's operational state by allowing unauthorized modification. The attack vector is network-based (remote), with low attack complexity and no user interaction required. The scope is limited to installations running the affected plugin versions. No known exploits have been reported in the wild, and no official patches have been released yet. The CVSS v3.1 base score is 4.3 (medium), reflecting the moderate risk posed by this vulnerability. The vulnerability was publicly disclosed on December 6, 2025, with Wordfence as the assigner. Given the widespread use of WooCommerce in e-commerce, this vulnerability could be leveraged by low-privilege users to disrupt merchandising features, potentially impacting sales and user experience.

For European organizations, especially those operating e-commerce websites using WooCommerce with the affected plugin, this vulnerability can lead to unauthorized deactivation of key merchandising and search filtering features. While it does not directly expose customer data or cause full service outages, the loss of plugin functionality can degrade user experience, reduce sales conversion rates, and damage brand reputation. Attackers with minimal privileges (Subscriber role) can exploit this flaw, which increases the risk from insider threats or compromised low-level accounts. In regulated sectors, such as retail and finance, disruption of e-commerce capabilities could have financial and compliance repercussions. The impact is primarily operational and reputational rather than data breach related. Organizations relying heavily on WooCommerce merchandising features should consider this vulnerability a moderate risk that could affect business continuity and customer satisfaction.

Immediate mitigation steps include auditing user roles and permissions to ensure that Subscriber-level accounts are tightly controlled and monitored. Restrict access to the 'wcis_save_email' endpoint by implementing web application firewall (WAF) rules or custom access controls to block unauthorized requests. Disable or remove unused Subscriber accounts and enforce strong authentication policies to reduce risk from compromised accounts. Monitor plugin activity logs for unusual deactivation attempts. Since no official patch is currently available, organizations should prepare to apply updates promptly once released by the vendor. Additionally, consider isolating the WooCommerce environment or using plugin hardening tools that enforce capability checks. Regularly back up plugin configurations and site data to enable quick recovery if unauthorized changes occur. Engage with the plugin vendor or community to track patch releases and vulnerability disclosures.