CVE-2025-12427 – The YITH WooCommerce Wishlist plugin for WordPr... (How to Fix)

Q: What is the severity of CVE-2025-12427?

CVE-2025-12427 has a CVSS score of 5.3 (MEDIUM). The YITH WooCommerce Wishlist plugin for WordPress has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to discover any user's wishlist token ID and rename wishlists without authorization. This affects all WordPress sites using the plugin up to version 4.10.0, potentially enabling defacement, social engineering, and mass tampering attacks.

📋 TL;DR

The YITH WooCommerce Wishlist plugin for WordPress has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to discover any user's wishlist token ID and rename wishlists without authorization. This affects all WordPress sites using the plugin up to version 4.10.0, potentially enabling defacement, social engineering, and mass tampering attacks.

💻 Affected Systems

Products:

YITH WooCommerce Wishlist for WordPress

Versions: All versions up to and including 4.10.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could systematically rename all user wishlists across a multi-user store, causing widespread confusion, enabling social engineering campaigns, and damaging brand reputation through apparent defacement.

🟠

Likely Case

Targeted attacks against specific users to rename their wishlists for harassment, confusion, or social engineering purposes, potentially leading to customer complaints and support overhead.

🟢

If Mitigated

Limited impact with proper monitoring and user education about potential wishlist tampering, though some confusion may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit via REST API or AJAX endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.1 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394933%40yith-woocommerce-wishlist%2Ftrunk&old=3379519%40yith-woocommerce-wishlist%2Ftrunk&sfp_email=&sfph_mail=#file0

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find YITH WooCommerce Wishlist. 4. Click 'Update Now' if available, or manually update to version 4.10.1+. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable REST API endpoints

all

Temporarily disable the vulnerable REST API endpoints until patching is possible

Add to wp-config.php: define('YITH_WCWL_REST_API_DISABLED', true);

Restrict AJAX access

linux

Limit AJAX handler access to authenticated users only via .htaccess or web server configuration

# In .htaccess: <Files "admin-ajax.php"> Require valid-user </Files>

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests to vulnerable REST API and AJAX endpoints
Monitor logs for unusual wishlist rename activity and implement alerting for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > YITH WooCommerce Wishlist version. If version is 4.10.0 or lower, you are vulnerable.

Check Version:

wp plugin list --name=yith-woocommerce-wishlist --field=version

Verify Fix Applied:

Verify plugin version is 4.10.1 or higher in WordPress admin panel. Test wishlist functionality to ensure it works properly for authenticated users.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-json/yith-wcwl/v1/lists/* endpoints from unauthenticated users
Unusual wishlist rename activity in WooCommerce logs
AJAX requests to admin-ajax.php with 'yith_wcwl_rename_list' action from unauthenticated IPs

Network Indicators:

Unusual traffic patterns to REST API endpoints from external IPs
Spike in requests to wishlist-related endpoints

SIEM Query:

source="wordpress.log" AND ("yith_wcwl_rename_list" OR "/wp-json/yith-wcwl/v1/lists/") AND user="-"

📊 Metadata

CVE ID: CVE-2025-12427

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-639

EPSS Score: 0.06% exploit probability (19.3th percentile)

Published: November 19, 2025

Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12427, you might also want to check these: