CVE-2025-12358 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability found in the ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress, affecting all versions up to and including 4.8.5. The vulnerability stems from the absence of nonce validation in the 'post_add_to_list' function and an incorrect permissions callback in the 'Api/init' function. Nonce validation is a security mechanism used in WordPress to ensure that requests are intentional and originate from legitimate users. Without it, attackers can craft malicious requests that appear legitimate to the server. The incorrect permissions callback further weakens access control, allowing unauthenticated attackers to exploit the vulnerability. Exploitation requires tricking an authenticated user into performing an action, such as clicking a specially crafted link, which then causes unauthorized modifications to the user's wishlist by adding or removing products. Although the vulnerability does not expose sensitive data (no confidentiality impact) nor disrupt service availability, it compromises the integrity of user data by allowing unauthorized wishlist manipulation. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) reflects that the attack can be performed remotely without privileges but requires user interaction. No public exploits have been reported yet, but the vulnerability poses a risk to e-commerce sites relying on this plugin, potentially undermining user trust and experience. The lack of a patch at the time of reporting necessitates immediate mitigation efforts by site administrators.

The primary impact of this vulnerability is on the integrity of user data within affected e-commerce websites. Attackers can manipulate users' wishlists without their consent, potentially causing confusion, loss of trust, or indirect financial impact if wishlist data influences purchasing decisions. While the vulnerability does not compromise user credentials or site availability, unauthorized wishlist modifications can degrade user experience and site reputation. For organizations, this could lead to customer dissatisfaction and increased support costs. Since the vulnerability requires user interaction, the attack surface is somewhat limited, but phishing or social engineering campaigns could increase exploitation likelihood. The vulnerability affects all sites using the vulnerable plugin version, which may be widespread given WooCommerce's popularity. The absence of known exploits reduces immediate risk but does not eliminate future exploitation potential. Overall, the impact is moderate but significant enough to warrant prompt remediation to maintain e-commerce platform integrity and user trust.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates released by the plugin vendor once available. In the absence of an official patch, site administrators should implement nonce validation in the 'post_add_to_list' function to ensure requests are legitimate and originate from authenticated users. Additionally, reviewing and correcting the permissions callback in the 'Api/init' function to enforce proper access control is critical. Administrators can also implement Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the affected endpoints. Educating users about the risks of clicking on untrusted links can reduce the likelihood of successful social engineering. Monitoring logs for unusual wishlist modification patterns may help detect exploitation attempts. Finally, consider temporarily disabling the affected plugin or its vulnerable features if immediate patching is not feasible, balancing business needs and security risks.