CVE-2025-12115 is a vulnerability identified in the WPC Name Your Price for WooCommerce plugin, a popular WordPress extension that allows customers to name their own price for products. The issue exists in all versions up to and including 2.1.9. The root cause is improper enforcement of server-side security controls, specifically a failure to disable the custom pricing feature on the client side when it has been disabled for a product on the server side. This is classified under CWE-602, which involves client-side enforcement of server-side security policies, leading to security bypass. Because the plugin relies on client-side controls to restrict price input, an unauthenticated attacker can manipulate the price parameter in requests to purchase products at prices lower than intended by the merchant. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and significant impact on data integrity (price manipulation). No known public exploits have been reported yet, and no patches or updates have been linked at the time of publication. The vulnerability primarily affects the integrity of e-commerce transactions, potentially resulting in financial losses and undermining trust in affected online stores.

The primary impact of CVE-2025-12115 is financial loss due to unauthorized price manipulation, allowing attackers to purchase products at prices lower than intended. This undermines the integrity of e-commerce transactions and can lead to significant revenue loss for affected merchants. Additionally, widespread exploitation could damage the reputation of online stores using the vulnerable plugin, eroding customer trust. Since the vulnerability does not affect confidentiality or availability, data breaches or service outages are unlikely. However, the ease of exploitation without authentication or user interaction increases the risk of automated attacks and large-scale abuse. Organizations relying on WooCommerce with this plugin may face operational disruptions in pricing and inventory management due to fraudulent transactions. The vulnerability also poses compliance risks if financial controls are circumvented, potentially impacting regulatory adherence in some jurisdictions.

To mitigate CVE-2025-12115, organizations should immediately verify if they are using the WPC Name Your Price for WooCommerce plugin version 2.1.9 or earlier and plan to upgrade to a patched version once available. In the absence of an official patch, merchants should implement strict server-side validation to enforce pricing rules, ensuring that any custom price input is validated against product settings before processing transactions. Disabling the plugin temporarily or removing the custom pricing feature for critical products can reduce exposure. Monitoring transaction logs for anomalous pricing patterns can help detect exploitation attempts. Additionally, applying Web Application Firewall (WAF) rules to block suspicious requests manipulating price parameters may provide interim protection. Merchants should also educate their development and security teams about the risks of relying on client-side controls for critical business logic and enforce secure coding practices that validate all inputs server-side.