CVE-2025-12087 MEDIUM

CVE-2025-12087: Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion

Vendor Acowebs
Product Wishlist and Save for later for Woocommerce
Weakness CWE-639 · IDOR
Published November 12, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.

Explanation of Vulnerability in Simple Terms

02Summary

The Wishlist and Save for later for WooCommerce plugin through version 1.1.22 contains an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter wishlist or saved item records belonging to other users or the site. No user interaction is required beyond initial authentication. Update to a version newer than 1.1.22.

What an attacker can do

03Attacker Capabilities

Modify wishlist or saved item data belonging to other users or the site.

Potential impact on your site

04Site Impact

Customer wishlist and saved item data can be altered or deleted by other authenticated users, affecting data integrity and customer trust.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the WooCommerce site (e.g., customer or subscriber role).

Key dates

06Disclosure timeline

November 12, 2025 CVE published
April 8, 2026 Record updated