CVE-2025-12427 affects the YITH WooCommerce Wishlist plugin for WordPress, versions up to and including 4.10.0. The vulnerability is an authorization bypass caused by insecure direct object references (CWE-639) in the plugin's REST API endpoint and AJAX handler. Specifically, the plugin fails to properly validate user-controlled keys that identify wishlist token IDs, allowing unauthenticated attackers to enumerate any user's wishlist token. Once an attacker discovers a victim's wishlist token ID, they can rename the wishlist without any authorization checks, compromising the integrity of the victim's data. This flaw arises because the plugin does not enforce ownership verification or access control on these operations, exposing wishlist management functions to unauthorized users. The vulnerability is exploitable remotely over the network without requiring authentication or user interaction, making it relatively easy to exploit. The impact is limited to integrity, as attackers cannot read or delete wishlists but can alter wishlist names, which can be leveraged for defacement, social engineering, or profiling attacks in multi-user e-commerce stores. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 5.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or availability impact, and low integrity impact.

The primary impact of this vulnerability is on data integrity within e-commerce environments using the YITH WooCommerce Wishlist plugin. Attackers can rename any user's wishlist, potentially causing confusion, defacement, or misleading information that could be exploited for social engineering or phishing attacks. In multi-user stores, this can lead to reputational damage, loss of customer trust, and operational disruption if attackers manipulate wishlists en masse. Although confidentiality and availability are not directly affected, the ability to tamper with user data at scale can facilitate profiling and targeted attacks against customers. Organizations relying on this plugin risk undermining user experience and trust, which can have downstream financial and brand impacts. The ease of exploitation without authentication increases the threat level, especially for high-traffic WooCommerce stores with many users. However, the lack of known active exploits and the medium CVSS score suggest the threat is moderate but should not be ignored.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the YITH WooCommerce Wishlist plugin vendor once available. In the absence of patches, administrators can implement the following specific mitigations: 1) Restrict access to the REST API endpoints and AJAX handlers related to wishlist management by enforcing strict authentication and authorization checks at the web server or application firewall level. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to enumerate or modify wishlist token IDs. 3) Monitor logs for unusual activity patterns targeting wishlist endpoints, such as repeated requests with varying token IDs from unauthenticated sources. 4) Consider disabling the wishlist feature temporarily if it is not critical to business operations until a patch is available. 5) Educate users and staff about potential phishing or social engineering risks stemming from manipulated wishlist data. 6) Review and harden WordPress and WooCommerce security configurations to reduce overall attack surface. These targeted actions go beyond generic advice by focusing on access control, monitoring, and temporary feature disablement to reduce exposure.