CVE-2025-12115 is a vulnerability classified under CWE-602 (Client-Side Enforcement of Server-Side Security) found in the WPC Name Your Price for WooCommerce plugin, a popular WordPress extension that allows customers to name their own price for products. The vulnerability exists because the plugin fails to disable the custom pricing feature on the server side when it has been disabled for a product, relying instead on client-side controls to enforce this restriction. This design flaw allows unauthenticated attackers to manipulate client-side parameters and submit purchase requests with arbitrary prices, including prices lower than intended or even zero. The vulnerability affects all versions up to and including 2.1.9. Exploitation requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and the high impact on integrity, as attackers can alter transaction prices and cause financial loss. No known public exploits have been reported yet, but the vulnerability poses a significant risk to online stores using this plugin. The root cause is the improper reliance on client-side enforcement of security controls that should be validated and enforced on the server side. Without server-side validation, attackers can bypass restrictions by tampering with HTTP requests or JavaScript code. This vulnerability highlights the critical importance of robust server-side validation in e-commerce applications to prevent unauthorized transactions and fraud.

For European organizations operating e-commerce websites with WooCommerce and the vulnerable WPC Name Your Price plugin, this vulnerability can lead to significant financial losses due to unauthorized price manipulation. Attackers can purchase products at prices lower than intended, potentially even free, undermining revenue and trust. The integrity of pricing data is compromised, which can also affect inventory management and accounting. Additionally, widespread exploitation could damage brand reputation and customer trust. Since no authentication is required, attackers can automate exploitation at scale, increasing the risk of large-scale fraud. The availability of the service is not directly impacted, but the financial and reputational damage can be severe. Organizations may also face compliance risks under European regulations if they fail to protect transactional integrity. The vulnerability is particularly impactful for small and medium-sized enterprises that rely heavily on WooCommerce and may lack advanced security controls.

Immediate mitigation involves applying patches or updates from the plugin vendor once available. In the absence of an official patch, organizations should implement strict server-side validation to enforce pricing rules, ensuring that any custom price submissions are verified against product configurations before processing transactions. Disabling the 'Name Your Price' feature entirely for critical products until a fix is applied can reduce risk. Web application firewalls (WAFs) can be configured to detect and block anomalous requests that attempt to manipulate pricing parameters. Monitoring transaction logs for unusual pricing patterns can help identify exploitation attempts. Additionally, organizations should review and harden their e-commerce workflows to avoid reliance on client-side controls for security decisions. Regular security assessments and code reviews of custom plugins are recommended to detect similar issues proactively. Finally, educating developers about the risks of client-side enforcement and the necessity of server-side validation is essential to prevent recurrence.