CVE-2025-12427 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the YITH WooCommerce Wishlist plugin for WordPress, versions up to and including 4.10.0. The flaw exists in the REST API endpoint and AJAX handler where the plugin fails to properly validate user-supplied wishlist token IDs. This lack of validation allows unauthenticated attackers to enumerate or guess valid wishlist token IDs belonging to other users. Once a valid token ID is identified, the attacker can rename the victim's wishlist without any authorization checks, thereby compromising the integrity of the wishlist data. The vulnerability does not expose confidential information nor does it affect system availability, but it enables attackers to manipulate user data, potentially leading to defacement of user content, social engineering attacks by altering wishlist names, and profiling of users at scale. The attack vector requires no authentication or user interaction, and the vulnerability is remotely exploitable over the network. Although no public exploits have been reported, the medium CVSS score of 5.3 reflects the moderate impact and ease of exploitation. The vulnerability affects all versions of the plugin up to 4.10.0, and no official patches are currently linked, indicating that users must monitor vendor updates closely. The flaw is particularly concerning for multi-user WooCommerce stores where wishlists are a key feature for user engagement and marketing.

For European organizations operating WooCommerce-based e-commerce platforms using the vulnerable YITH WooCommerce Wishlist plugin, this vulnerability poses a risk to the integrity of user-generated content. Attackers can rename wishlists arbitrarily, which could lead to customer confusion, damage to brand reputation, and potential loss of customer trust. The ability to tamper with wishlists at scale also opens avenues for social engineering attacks, where attackers might manipulate wishlist names to mislead users or inject malicious links. Although no direct data leakage or service disruption occurs, the reputational and operational impacts could be significant, especially for large retailers and marketplaces relying on WooCommerce in Europe. Furthermore, attackers could profile users by enumerating wishlist tokens, potentially aiding targeted phishing or fraud campaigns. This risk is amplified in countries with high WooCommerce market penetration and where e-commerce regulations emphasize data integrity and consumer protection. Organizations may face regulatory scrutiny if user data integrity is compromised, even without direct data breaches.

European organizations should immediately audit their WordPress installations to identify the presence and version of the YITH WooCommerce Wishlist plugin. Until an official patch is released, administrators should consider disabling the wishlist functionality or restricting access to the REST API and AJAX endpoints related to wishlists via web application firewalls (WAFs) or server-level access controls. Implementing strict server-side validation to verify that any wishlist token ID corresponds to the authenticated user before allowing modifications is critical. Monitoring logs for unusual activity targeting wishlist endpoints can help detect exploitation attempts. Organizations should also educate their development teams to follow secure coding practices, particularly validating and authorizing user inputs in REST API handlers. Once a vendor patch is available, prompt application of updates is essential. Additionally, consider implementing rate limiting on API endpoints to reduce the risk of token enumeration. Finally, communicate transparently with customers about any potential impact and remediation steps to maintain trust.