CVE-2025-12777
📋 TL;DR
The YITH WooCommerce Wishlist plugin for WordPress has an authorization bypass vulnerability that allows unauthenticated attackers to access wishlist tokens for any user and delete wishlist items. This affects all WordPress sites using the plugin up to version 4.10.0. Attackers can chain REST API and AJAX handler weaknesses to manipulate user wishlists.
💻 Affected Systems
- YITH WooCommerce Wishlist WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically delete all wishlist items across all users, causing data loss and disrupting e-commerce functionality.
Likely Case
Targeted deletion of wishlist items for specific users, potentially affecting shopping experience and customer satisfaction.
If Mitigated
Limited to wishlist manipulation only; no access to sensitive user data, payment information, or administrative functions.
🎯 Exploit Status
Exploitation requires chaining two authorization bypasses but follows predictable patterns with publicly available code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.10.1
Vendor Advisory: https://wordpress.org/plugins/yith-woocommerce-wishlist/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find YITH WooCommerce Wishlist. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.10.1+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable REST API endpoint
allTemporarily disable the vulnerable REST API endpoint using WordPress filters
Add to theme's functions.php or custom plugin: add_filter('rest_endpoints', function($endpoints){ unset($endpoints['/wp-json/yith/wishlist/v1/lists']); return $endpoints; });
Disable plugin
linuxTemporarily deactivate the YITH WooCommerce Wishlist plugin
wp plugin deactivate yith-woocommerce-wishlist
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /wp-json/yith/wishlist/v1/lists endpoint
- Restrict access to wishlist functionality to authenticated users only via .htaccess or nginx rules
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 4.10.0 or lower, you are vulnerable.Check Version:
wp plugin get yith-woocommerce-wishlist --field=versionVerify Fix Applied:
Verify plugin version is 4.10.1 or higher. Test wishlist functionality to ensure it still works for authenticated users.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=remove_from_wishlist from unauthenticated IPs
- GET requests to /wp-json/yith/wishlist/v1/lists from unauthenticated users
Network Indicators:
- Unusual spike in requests to wishlist-related endpoints
- Requests to wishlist API without authentication headers
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/yith/wishlist/v1/lists" OR uri_path="/wp-admin/admin-ajax.php" AND query_string="action=remove_from_wishlist") AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L222
- https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-frontend.php#L740
- https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56
- https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L96
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394933%40yith-woocommerce-wishlist%2Ftrunk&old=3379519%40yith-woocommerce-wishlist%2Ftrunk&sfp_email=&sfph_mail=#file0
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0088a97c-5a06-4500-a923-242499596aca?source=cve
