CVE-2025-12358 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress, affecting all versions up to and including 4.8.5. The vulnerability stems from two main issues: the absence of nonce validation in the 'post_add_to_list' function and an incorrect permissions callback in the 'Api/init' function. Nonce validation is a security mechanism used in WordPress to verify that requests originate from legitimate sources, preventing unauthorized actions. The lack of this validation allows attackers to craft malicious requests that can be executed in the context of an authenticated user without their consent. Additionally, the incorrect permissions callback means that the API endpoint does not properly verify user permissions, further enabling unauthorized actions. Exploitation involves an attacker tricking a logged-in user into clicking a specially crafted link or visiting a malicious webpage, which then sends a forged request to the vulnerable site. This request can add or remove products from the user's wishlist without their knowledge or consent. Although the vulnerability does not allow direct access to sensitive data or system control, it compromises the integrity of user data by manipulating wishlist contents. The CVSS v3.1 base score of 4.3 reflects a medium severity, with attack vector being network-based, low attack complexity, no privileges required, but requiring user interaction. There are no known public exploits or patches available at the time of publication, but the vulnerability has been officially disclosed and assigned a CVE identifier. The affected product is widely used in WordPress e-commerce sites leveraging WooCommerce and Elementor page builder, which are popular in many European countries. This vulnerability highlights the importance of proper nonce implementation and permission checks in WordPress plugin development to prevent CSRF attacks.

For European organizations operating e-commerce websites using WordPress with the ShopEngine Elementor WooCommerce Builder Addon, this vulnerability poses a risk to the integrity of user data, specifically wishlist contents. While it does not directly compromise sensitive personal or payment information, unauthorized manipulation of wishlists can degrade user trust and experience, potentially leading to reputational damage and customer dissatisfaction. Attackers could exploit this flaw to disrupt marketing campaigns or promotions tied to wishlists or to create confusion among users. Since the attack requires user interaction, phishing or social engineering campaigns could be used to increase exploitation likelihood. The vulnerability does not impact system availability or confidentiality directly, but integrity issues could cascade into broader trust issues. For businesses relying heavily on personalized shopping experiences and customer engagement through wishlists, this could translate into financial impacts. Moreover, regulatory frameworks such as GDPR emphasize data integrity and user consent, so unauthorized data manipulation—even if limited—could raise compliance concerns. The medium severity score suggests that while the threat is not critical, it should be addressed promptly to maintain secure and trustworthy e-commerce operations.

1. Monitor official channels from the plugin vendor (roxnor) for security patches and apply updates immediately once available. 2. Until an official patch is released, implement custom nonce validation in the 'post_add_to_list' function to ensure requests are legitimate and originate from authenticated users. 3. Correct the permissions callback in the 'Api/init' function to enforce proper user permission checks, preventing unauthorized API access. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block CSRF attack patterns targeting the affected endpoints. 5. Educate users and staff about phishing and social engineering risks, emphasizing caution when clicking on unsolicited links, especially when logged into e-commerce accounts. 6. Review and harden other WordPress plugins and themes for similar CSRF protections to reduce overall attack surface. 7. Consider implementing Content Security Policy (CSP) headers and SameSite cookie attributes to reduce the risk of CSRF exploitation. 8. Conduct regular security audits and penetration testing focusing on CSRF and other web application vulnerabilities. 9. For organizations with development resources, consider temporarily disabling wishlist features or restricting wishlist modifications to authenticated and verified requests only. 10. Maintain comprehensive logging and monitoring to detect unusual wishlist modification activities that could indicate exploitation attempts.