{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12087", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-22T18:11:13.326Z", "datePublished": "2025-11-12T04:29:08.619Z", "dateUpdated": "2026-04-08T16:37:31.576Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:31.576Z"}, "affected": [{"vendor": "acowebs", "product": "Wishlist and Save for later for Woocommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists."}], "title": "Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2025-10-31T16:25:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-11T15:47:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T18:31:53.632051Z", "id": "CVE-2025-12087", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T18:33:33.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12087", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T18:31:53.632051Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T18:32:38.908Z"}}], "cna": {"title": "Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "acowebs", "product": "Wishlist and Save for later for Woocommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T16:25:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-11T15:47:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/"}], "descriptions": [{"lang": "en", "value": "The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:31.576Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12087", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:31.576Z", "dateReserved": "2025-10-22T18:11:13.326Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-12T04:29:08.619Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists."}], "id": "CVE-2025-12087", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-12T05:15:39.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:13:54.228380+00:00", "value": {"mitigation_remediation": ["Update the Wishlist plugin to a version that removes the insecure AJAX action or, if no update is available, deactivate or uninstall the plugin immediately.", "If the plugin must remain active, restrict the \u2018awwlm_remove_added_wishlist_page\u2019 action to administrator roles by adding a server\u2011side authorization check for the current user\u2019s capability.", "Add a Web Application Firewall rule that blocks or requires a valid nonce for requests to awwlm_remove_added_wishlist_page to reduce the chance of successful IDOR exploitation."], "summary": {"action": "Apply updates", "impact": "Insecure deletion of other users' wishlist items via IDOR"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the acowebs Wishlist and Save for later for WooCommerce plugin with a version of 1.1.22 or earlier, regardless of the WordPress or WooCommerce version, is affected.", "description_and_impact": "The WooCommerce Wishlist plugin contains an insecure direct object reference in the \u2018awwlm_remove_added_wishlist_page\u2019 AJAX action. Because the request is not validated against the requester's identity, an authenticated user with a Subscriber role or higher can delete any wishlist item belonging to another user. This allows a malicious actor to erase selected products from other customers\u2019 wishlists, damaging data integrity and potentially undermining customer trust in the e\u2011commerce platform, but it does not provide code execution or broader system compromise.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% shows a very low current exploitation probability, and the vulnerability is not listed in CISA KEV. Exploitation requires a valid account; the attacker needs only Subscriber-level access, so the attack vector is user\u2011based. Although the impact is limited to data tampering, the ease of operation and lack of authentication checks raise the practical risk for sites with many active users."}}}}, "created": "2025-11-12T12:36:26.371604+00:00", "updated": "2026-04-22T21:15:27.684542+00:00", "vendors": ["acowebs", "acowebs$PRODUCT$wishlist_and_save_for_later_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}