CVE-2025-12777 is an authorization bypass vulnerability classified under CWE-285 affecting the YITH WooCommerce Wishlist plugin for WordPress, specifically all versions up to and including 4.10.0. The root cause is improper authorization checks on two key components: the REST API endpoint /wp-json/yith/wishlist/v1/lists and the AJAX delete_item handler. The REST API endpoint uses a permission_callback set to '__return_true', effectively allowing any unauthenticated user to access wishlist data without restriction. Meanwhile, the AJAX delete_item handler validates only the nonce for request authenticity but lacks object-level authorization verification, meaning it does not confirm whether the requesting user has permission to delete the targeted wishlist item. An attacker can exploit this by first retrieving wishlist tokens from any user via the REST API bypass and then using these tokens combined with the nonce from shared wishlist pages to delete wishlist items via the AJAX handler. This chained attack compromises the integrity of user wishlists by allowing unauthorized deletion of items. The vulnerability does not expose confidential data directly but leaks wishlist tokens, which can be leveraged for further unauthorized actions. The CVSS 3.1 base score is 5.3 (medium), reflecting network attack vector, no privileges required, no user interaction, and impact limited to integrity loss without affecting confidentiality or availability. No patches or exploits are currently known, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.

The primary impact of CVE-2025-12777 is unauthorized modification of user wishlist data, specifically the deletion of wishlist items by unauthenticated attackers. This compromises data integrity and can disrupt user experience and trust in e-commerce platforms using the affected plugin. While confidentiality and availability are not directly impacted, the ability to manipulate user data without authorization can lead to reputational damage, customer dissatisfaction, and potential financial loss for online retailers. Attackers might also leverage this vulnerability as part of broader attacks targeting user accounts or to cause disruption in e-commerce operations. Organizations relying on YITH WooCommerce Wishlist for customer engagement risk undermining their platform's reliability and security posture if this vulnerability is exploited. The lack of authentication requirements and ease of exploitation increase the threat level, especially for high-traffic e-commerce sites.

To mitigate CVE-2025-12777, organizations should immediately update the YITH WooCommerce Wishlist plugin to a version where this vulnerability is fixed once available. In the absence of an official patch, implement custom access controls on the REST API endpoint by replacing the permission_callback '__return_true' with a function that properly verifies user authorization. Additionally, enhance the AJAX delete_item handler to include strict object-level authorization checks ensuring that only authorized users can delete wishlist items. Restrict access to shared wishlist pages and monitor logs for unusual API or AJAX requests indicative of exploitation attempts. Employ Web Application Firewalls (WAFs) with rules targeting suspicious REST API and AJAX calls related to wishlist operations. Regularly audit and review plugin permissions and nonce implementations to ensure they follow best security practices. Finally, educate site administrators about the risks and encourage timely plugin updates and security monitoring.