CVE-2025-12777 is a medium severity authorization bypass vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress, specifically all versions up to 4.10.0. The root cause is improper authorization checks on two critical components: the REST API endpoint /wp-json/yith/wishlist/v1/lists and the AJAX delete_item handler. The REST API endpoint uses a permission_callback set to '__return_true', effectively disabling any authorization checks and allowing unauthenticated users to access wishlist data, including sensitive wishlist tokens. Meanwhile, the AJAX delete_item handler validates only the nonce for request authenticity but lacks object-level authorization verification, meaning it does not confirm whether the requester has permission to delete the targeted wishlist item. An attacker can exploit this by first retrieving wishlist tokens via the REST API, then using those tokens combined with the nonce from shared wishlist pages to delete wishlist items belonging to other users. This chain of flaws leads to unauthorized integrity violations, specifically the deletion of wishlist entries without authentication or proper authorization. The vulnerability does not expose confidential data directly but compromises data integrity and user trust. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, but partial integrity impact. No patches or known exploits are currently available, so mitigation relies on configuration changes or plugin updates once released.

For European organizations operating e-commerce websites using WordPress with the YITH WooCommerce Wishlist plugin, this vulnerability poses a risk to the integrity of user data. Attackers can delete wishlist items of any user without authentication, potentially disrupting customer experience and trust. While no direct confidentiality breach occurs, the ability to manipulate user wishlists can lead to reputational damage, customer dissatisfaction, and potential loss of sales. In regulated sectors, such as retail or consumer protection-focused jurisdictions within Europe, failure to address such vulnerabilities could also attract regulatory scrutiny under GDPR if user trust and service integrity are compromised. The impact is particularly relevant for high-traffic online stores relying on wishlist features for marketing and sales strategies. Since the vulnerability requires no user interaction or privileges, it can be exploited remotely and at scale, increasing risk exposure. However, the lack of known exploits in the wild currently reduces immediate threat levels but does not eliminate future risk.

European organizations should immediately audit their WordPress installations to identify the presence and version of the YITH WooCommerce Wishlist plugin. Until an official patch is released, administrators should consider disabling the wishlist functionality or restricting access to the REST API endpoints related to the wishlist via web application firewalls (WAF) or server-level access controls. Implementing strict access controls on the /wp-json/yith/wishlist/v1/lists endpoint to require authentication and proper authorization checks can mitigate unauthorized access. Additionally, reviewing and tightening nonce validation and adding object-level authorization checks in custom code or plugin overrides can reduce risk. Monitoring web logs for suspicious access patterns targeting the wishlist endpoints is recommended. Once a vendor patch becomes available, prompt application of updates is critical. Organizations should also educate their development and security teams about the risks of improper authorization in REST APIs and AJAX handlers to prevent similar issues in custom plugins or themes.