cleantalk
Vulnerabilities and Security Researches

YITH WooCommerce Wishlist, CVE-2025-12427

CVE, Research URL

CVE-2025-12427

Home page URL

Security reports for YITH WooCommerce Wishlist

Application

YITH WooCommerce Wishlist

Published on
Nov 19, 2025
Research Description
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.
Affected versions
max 4.10.1.
Status
vulnerable
Previous vulnerability researches
Advanced Flamingo (CVE-2023-52226) , Jun 07, 2024
New vulnerability
Simple User Import Export (CVE-2025-13133) , Dec 10, 2025
Analytics Germanized for Google Analytics (GDPR / DSGVO) (CVE-2025-64292) , Dec 10, 2025
Classified Listing – Classified ads & Business Directory Plugin (CVE-2025-12953) , Dec 10, 2025
All-in-One Video Gallery (CVE-2025-12966) , Dec 10, 2025
Like-it (CVE-2025-12404) , Dec 10, 2025