CVE-2025-12115
📋 TL;DR
The WPC Name Your Price for WooCommerce WordPress plugin allows unauthenticated attackers to purchase products at arbitrary prices even when custom pricing is disabled for specific products. This affects all WordPress sites using this plugin up to version 2.1.9. Attackers can exploit this to buy products at significantly reduced prices, causing financial loss to e-commerce stores.
💻 Affected Systems
- WPC Name Your Price for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers purchase high-value inventory at near-zero prices, causing substantial financial loss and inventory depletion.
Likely Case
Opportunistic attackers purchase discounted products at below-market prices, resulting in moderate financial loss.
If Mitigated
Regular price monitoring detects anomalies, limiting financial impact to isolated incidents.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill - attackers simply need to modify price parameters in purchase requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WPC Name Your Price for WooCommerce'. 4. Click 'Update Now' if available, or download version 2.2.0+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the vulnerable plugin until patched
wp plugin deactivate wpc-name-your-price
Enable price validation
allAdd custom WooCommerce validation to reject modified prices
Add custom PHP code to validate price parameters in checkout process
🧯 If You Can't Patch
- Disable the WPC Name Your Price plugin entirely and use alternative pricing solutions
- Implement server-side price validation and monitoring for price anomalies in real-time
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version - if WPC Name Your Price is version 2.1.9 or lower, you are vulnerable.Check Version:
wp plugin get wpc-name-your-price --field=versionVerify Fix Applied:
Verify plugin version is 2.2.0 or higher in WordPress admin panel, then test purchasing a product with custom pricing disabled to ensure price cannot be modified.📡 Detection & Monitoring
Log Indicators:
- Unusually low order values compared to product prices
- Multiple purchases from same IP with modified price parameters
- Checkout requests with price parameters in URL or POST data
Network Indicators:
- HTTP POST requests to checkout containing modified price fields
- Unusual price parameters in WooCommerce API calls
SIEM Query:
source="woocommerce" AND (price<regular_price OR price_override=true) AND product="*"