The vulnerability identified as CVE-2025-12427 affects the YITH WooCommerce Wishlist plugin for WordPress, a widely used extension that allows users to create and manage wishlists on WooCommerce-based e-commerce sites. The flaw is an Insecure Direct Object Reference (IDOR), classified under CWE-639, arising from insufficient validation of user-controlled keys in the plugin's REST API endpoint and AJAX handler. Specifically, the plugin fails to verify that the requester is authorized to access or modify the wishlist identified by a token ID, allowing unauthenticated attackers to enumerate wishlist token IDs of any user. Once an attacker obtains a victim's wishlist token ID, they can rename the wishlist arbitrarily, thereby compromising the integrity of the victim's data. This vulnerability does not impact confidentiality or availability directly but allows unauthorized modification of wishlist names, which can be leveraged for defacement, social engineering (e.g., misleading wishlist names to trick users), mass tampering of user data, and profiling of users at scale. The attack vector is remote network access without any privileges or user interaction, making exploitation relatively straightforward. The vulnerability affects all versions up to and including 4.10.0 of the plugin. No official patches or fixes are linked yet, and no known exploits have been observed in the wild as of the publication date. The CVSS v3.1 base score is 5.3, reflecting medium severity due to the integrity impact and ease of exploitation without authentication.

For European organizations operating WooCommerce stores with the YITH WooCommerce Wishlist plugin, this vulnerability can lead to unauthorized modification of user wishlists, undermining customer trust and potentially damaging brand reputation. Attackers could rename wishlists to misleading or offensive terms, causing defacement visible to users and visitors. This can facilitate social engineering attacks by manipulating wishlist content to trick users into phishing or fraud. Additionally, mass tampering could disrupt user experience and lead to increased support costs. Profiling users by enumerating wishlist token IDs may expose behavioral patterns or preferences, raising privacy concerns under GDPR regulations. While the vulnerability does not directly expose sensitive data or cause service outages, the integrity compromise and potential for social engineering pose significant risks to e-commerce operations and customer relations in Europe.

European organizations should immediately audit their WooCommerce installations to identify if the YITH WooCommerce Wishlist plugin is installed and determine the version in use. Until an official patch is released, administrators should consider disabling the wishlist functionality or restricting access to the REST API and AJAX endpoints related to the wishlist plugin via web application firewalls or custom access controls. Implementing strict validation and authorization checks on wishlist token IDs at the application or proxy level can mitigate unauthorized access. Monitoring logs for unusual API requests or mass renaming activities can help detect exploitation attempts. Organizations should also communicate with the plugin vendor to obtain timely patches and apply updates as soon as they become available. Additionally, educating users about potential phishing or social engineering risks related to wishlist tampering can reduce the impact of attacks leveraging this vulnerability.