{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12358", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T16:10:11.719Z", "datePublished": "2025-12-03T12:29:55.836Z", "dateUpdated": "2026-04-08T16:59:48.815Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:48.815Z"}, "affected": [{"vendor": "roxnor", "product": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.8.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the \"post_add_to_list\" function as well as an incorrect permissions callback in the \"Api/init\" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link."}], "title": "ShopEngine <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3401226/shopengine"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "timeline": [{"time": "2025-10-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-27T16:26:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-02T23:42:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-03T13:58:26.093699Z", "id": "CVE-2025-12358", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T13:58:46.007Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-03T13:58:26.093699Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T13:58:36.331Z"}}], "cna": {"title": "ShopEngine <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.8.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-27T16:26:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-02T23:42:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3401226/shopengine"}], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the \"post_add_to_list\" function as well as an incorrect permissions callback in the \"Api/init\" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:48.815Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12358", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:48.815Z", "dateReserved": "2025-10-27T16:10:11.719Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-03T12:29:55.836Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the \"post_add_to_list\" function as well as an incorrect permissions callback in the \"Api/init\" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link."}], "id": "CVE-2025-12358", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-03T13:16:00.587", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3401226/shopengine"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:41:15.417894+00:00", "value": {"mitigation_remediation": ["Upgrade the ShopEngine plugin to the latest official release (4.8.6 or newer) to incorporate the missing nonce validation and correct permission checks.", "If an upgrade is not immediately possible, configure the site\u2019s web application firewall or security plugin to block unauthenticated requests to the \"post_add_to_list\" endpoint and the ShopEngine API initialization route.", "Audit all installed third\u2011party plugins to ensure none contain similar CSRF weaknesses and disable or remove any that are unnecessary for site operation."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Request Forgery enabling unauthenticated wishlist manipulation"}, "threat_synthesis": {"affected_systems": "All users of the roxnor ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution with version 4.8.5 or earlier are affected. Versions higher than 4.8.5 include the fix and are not vulnerable.", "description_and_impact": "The ShopEngine Elementor WooCommerce Builder Addon plugin is vulnerable to a CSRF flaw caused by missing nonce validation on the \"post_add_to_list\" endpoint and an incorrect permissions callback in its API initialization. An attacker who can convince a site user to visit a crafted link can add or remove items from that user's wishlist without authentication. The impact is a moderate integrity violation and potential commercial impact for e\u2011commerce sites that rely on wishlist integrity, but it does not expose sensitive data or allow code execution.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk, while the EPSS score of less than 1% implies a low likelihood of exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is web\u2011based: a malicious link or HTML payload that triggers a forged POST request to the vulnerable endpoint, requiring the victim to click the link or visit an embedded resource. Successful exploitation would allow an attacker to manipulate a user\u2019s wishlist but does not enable broader attacks such as data exfiltration or remote code execution."}}}}, "created": "2025-12-04T16:44:22.311036+00:00", "updated": "2026-04-22T12:00:05.910443+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "roxnor", "roxnor$PRODUCT$shopengine_elementor_woocommerce_builder_addon", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}