Refine your search
4 vulnerabilities found for YITH WooCommerce Wishlist by yithemes
CVE-2025-12777 (GCVE-0-2025-12777)
Vulnerability from nvd
Published
2025-11-19 03:29
Modified
2025-11-19 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback => '__return_true') and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler's missing object-level authorization check.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yithemes | YITH WooCommerce Wishlist |
Version: * ≤ 4.10.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T19:09:37.728596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:09:51.646Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YITH WooCommerce Wishlist",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "4.10.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback =\u003e \u0027__return_true\u0027) and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler\u0027s missing object-level authorization check."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T03:29:38.579Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0088a97c-5a06-4500-a923-242499596aca?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L96"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-frontend.php#L740"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394933%40yith-woocommerce-wishlist%2Ftrunk\u0026old=3379519%40yith-woocommerce-wishlist%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-05T20:59:07.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T14:28:55.000+00:00",
"value": "Disclosed"
}
],
"title": "YITH WooCommerce Wishlist \u003c= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12777",
"datePublished": "2025-11-19T03:29:38.579Z",
"dateReserved": "2025-11-05T20:43:52.611Z",
"dateUpdated": "2025-11-19T19:09:51.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12427 (GCVE-0-2025-12427)
Vulnerability from nvd
Published
2025-11-19 03:29
Modified
2025-11-19 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yithemes | YITH WooCommerce Wishlist |
Version: * ≤ 4.10.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:09:07.935020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:09:20.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YITH WooCommerce Wishlist",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "4.10.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user\u0027s wishlist token ID, and subsequently rename the victim\u0027s wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T03:29:39.992Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdb95ac-6b22-44a9-bd5c-b802a2d908d7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L265"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394933%40yith-woocommerce-wishlist%2Ftrunk\u0026old=3379519%40yith-woocommerce-wishlist%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-30T13:50:43.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T14:26:06.000+00:00",
"value": "Disclosed"
}
],
"title": "YITH WooCommerce Wishlist \u003c= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12427",
"datePublished": "2025-11-19T03:29:39.992Z",
"dateReserved": "2025-10-28T19:57:51.583Z",
"dateUpdated": "2025-11-19T20:09:20.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12427 (GCVE-0-2025-12427)
Vulnerability from cvelistv5
Published
2025-11-19 03:29
Modified
2025-11-19 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yithemes | YITH WooCommerce Wishlist |
Version: * ≤ 4.10.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:09:07.935020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:09:20.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YITH WooCommerce Wishlist",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "4.10.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user\u0027s wishlist token ID, and subsequently rename the victim\u0027s wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T03:29:39.992Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdb95ac-6b22-44a9-bd5c-b802a2d908d7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L265"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394933%40yith-woocommerce-wishlist%2Ftrunk\u0026old=3379519%40yith-woocommerce-wishlist%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-30T13:50:43.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T14:26:06.000+00:00",
"value": "Disclosed"
}
],
"title": "YITH WooCommerce Wishlist \u003c= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12427",
"datePublished": "2025-11-19T03:29:39.992Z",
"dateReserved": "2025-10-28T19:57:51.583Z",
"dateUpdated": "2025-11-19T20:09:20.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12777 (GCVE-0-2025-12777)
Vulnerability from cvelistv5
Published
2025-11-19 03:29
Modified
2025-11-19 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback => '__return_true') and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler's missing object-level authorization check.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yithemes | YITH WooCommerce Wishlist |
Version: * ≤ 4.10.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T19:09:37.728596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:09:51.646Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YITH WooCommerce Wishlist",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "4.10.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback =\u003e \u0027__return_true\u0027) and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler\u0027s missing object-level authorization check."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T03:29:38.579Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0088a97c-5a06-4500-a923-242499596aca?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L96"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-frontend.php#L740"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394933%40yith-woocommerce-wishlist%2Ftrunk\u0026old=3379519%40yith-woocommerce-wishlist%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-05T20:59:07.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T14:28:55.000+00:00",
"value": "Disclosed"
}
],
"title": "YITH WooCommerce Wishlist \u003c= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12777",
"datePublished": "2025-11-19T03:29:38.579Z",
"dateReserved": "2025-11-05T20:43:52.611Z",
"dateUpdated": "2025-11-19T19:09:51.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}