The YITH WooCommerce Wishlist plugin for WordPress, widely used to enable wishlist functionality in WooCommerce e-commerce sites, contains an authorization bypass vulnerability identified as CVE-2025-12777. This vulnerability stems from improper authorization checks in two key components: the REST API endpoint /wp-json/yith/wishlist/v1/lists and the AJAX delete_item handler. The REST API endpoint uses a permission_callback set to '__return_true', effectively allowing any unauthenticated user to access wishlist data, including sensitive wishlist tokens. Meanwhile, the AJAX delete_item handler validates only the nonce (a security token to prevent CSRF) but does not perform object-level authorization checks to confirm that the requester is permitted to delete the targeted wishlist item. By exploiting these combined weaknesses, an attacker can first retrieve wishlist tokens for arbitrary users and then delete wishlist items without authentication or proper authorization. The vulnerability affects all versions up to and including 4.10.0 of the plugin. Although the CVSS v3.1 base score is 5.3 (medium), reflecting no impact on confidentiality or availability but partial impact on integrity, the flaw can disrupt user experience and trust by unauthorized deletion of wishlist items. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-285 (Improper Authorization), highlighting the failure to enforce correct access controls on sensitive operations.

For European organizations operating WooCommerce stores with the YITH WooCommerce Wishlist plugin, this vulnerability can lead to unauthorized manipulation of customer wishlist data. While it does not expose confidential information directly, the ability to delete wishlist items undermines data integrity and can degrade customer trust and satisfaction. This could result in reputational damage and potential loss of sales if customers find their wishlists tampered with. Additionally, attackers might leverage this flaw as part of broader attacks, such as social engineering or account targeting. Given the widespread use of WooCommerce in Europe, especially among small and medium-sized enterprises in countries like Germany, the UK, France, and Italy, the impact could be significant. The vulnerability does not affect system availability or confidentiality but compromises the integrity of user data, which is critical for e-commerce operations.

European organizations should immediately audit their WooCommerce installations to identify the presence of the YITH WooCommerce Wishlist plugin and its version. Until an official patch is released, administrators should consider the following mitigations: 1) Disable or restrict access to the vulnerable REST API endpoint (/wp-json/yith/wishlist/v1/lists) using web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. 2) Implement custom code or plugins to enforce strict authorization checks on wishlist-related AJAX handlers, ensuring only authorized users can delete or modify wishlist items. 3) Monitor logs for unusual access patterns to the wishlist endpoints and AJAX handlers to detect potential exploitation attempts. 4) Educate site administrators and developers on the importance of proper permission callbacks and nonce validation combined with object-level authorization. 5) Regularly check for updates from the vendor and apply patches promptly once available. 6) Consider temporarily disabling the wishlist functionality if it is not critical to business operations until the vulnerability is resolved.