CVE-2025-32272 is a CSRF vulnerability identified in the PickPlugins Wishlist plugin, a tool commonly integrated into WordPress-based e-commerce sites to manage user wishlists. The vulnerability affects all versions up to and including 1.0.46. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged HTTP request, which the server processes as a legitimate action. In this case, the attacker could craft a malicious webpage or email that, when visited by a logged-in user, triggers unauthorized actions on the Wishlist plugin, such as adding or removing items from a user's wishlist without their consent. This can lead to unauthorized manipulation of user data and potentially degrade user trust or disrupt e-commerce operations. The vulnerability does not require the attacker to have direct authentication credentials, only that the victim is logged in. No patches or fixes have been officially published at the time of disclosure, and no active exploitation has been reported. The lack of a CVSS score means severity must be inferred from the nature of the vulnerability, its ease of exploitation, and potential impact on confidentiality, integrity, and availability of user data within the affected plugin.

The primary impact of this CSRF vulnerability is unauthorized modification of user wishlist data, which can lead to data integrity issues and potentially affect user experience and trust. For e-commerce sites, this could result in confusion, loss of sales opportunities, or reputational damage if users find their wishlists manipulated without their consent. While this vulnerability does not directly expose sensitive data or allow privilege escalation, it undermines the integrity of user interactions and could be leveraged as part of a broader attack chain. Organizations relying on the PickPlugins Wishlist plugin are at risk of these impacts, especially if they have a large user base or rely heavily on wishlist functionality for marketing and sales. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Additionally, if combined with other vulnerabilities, this CSRF flaw could facilitate more severe compromises.

To mitigate this vulnerability, organizations should implement strict anti-CSRF protections such as verifying CSRF tokens on all state-changing requests within the Wishlist plugin. Until an official patch is released, administrators can consider temporarily disabling the Wishlist plugin or restricting its use to trusted users only. Monitoring web server logs and user activity for unusual wishlist modifications can help detect attempted exploitation. Employing Content Security Policy (CSP) headers to restrict the domains from which requests can be made may reduce the risk of CSRF attacks. Additionally, educating users to log out of their accounts when not in use and to avoid visiting untrusted websites while logged in can reduce exposure. Organizations should track vendor communications for patches and apply them promptly once available. Conducting regular security assessments and penetration testing focused on plugin vulnerabilities is also recommended to identify and remediate similar issues proactively.