CVE-2025-12087
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete wishlist items from other users' wishlists. It affects the Wishlist and Save for later for Woocommerce plugin due to missing validation on user-controlled parameters. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Wishlist and Save for later for Woocommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could systematically delete all wishlist items across all user accounts, disrupting e-commerce functionality and potentially causing business impact through customer dissatisfaction.
Likely Case
Limited targeted deletion of wishlist items from specific users, causing minor disruption to individual shopping experiences.
If Mitigated
With proper access controls and monitoring, impact would be limited to isolated incidents quickly detected and remediated.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in an AJAX endpoint with insufficient authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.1.22
Vendor Advisory: https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Wishlist and Save for later for Woocommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable 'awwlm_remove_added_wishlist_page' AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_awwlm_remove_added_wishlist_page', 'awwlm_remove_added_wishlist_page'); remove_action('wp_ajax_nopriv_awwlm_remove_added_wishlist_page', 'awwlm_remove_added_wishlist_page');
Restrict user capabilities
allTemporarily remove wishlist modification capabilities from Subscriber role
Add to theme's functions.php or custom plugin: function remove_subscriber_wishlist_caps() { $role = get_role('subscriber'); if ($role) { $role->remove_cap('edit_posts'); // Adjust based on actual capability used } } add_action('init', 'remove_subscriber_wishlist_caps');
🧯 If You Can't Patch
- Disable the Wishlist plugin entirely until patched
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Wishlist and Save for later for Woocommerce' version 1.1.22 or lowerCheck Version:
wp plugin list --name='Wishlist and Save for later for Woocommerce' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is higher than 1.1.22 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=awwlm_remove_added_wishlist_page from same user ID targeting different wishlist IDs
- Unusual deletion patterns in wishlist-related database tables
Network Indicators:
- HTTP POST requests to admin-ajax.php with suspicious wishlist ID parameters
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "awwlm_remove_added_wishlist_page" AND status=200 | stats count by src_ip, user_id