Insecure Direct Object Reference in Wishlist and Save for Later for Woocommerce Plugin by WordPress
CVE-2025-12087

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Wishlist And Save For Later For WooCommerce
Vendor: CVE Published:; 12 November 2025

What is CVE-2025-12087?

The Wishlist and Save for Later for Woocommerce plugin for WordPress is susceptible to an Insecure Direct Object Reference. This vulnerability allows authenticated attackers, including those with Subscriber-level access, to manipulate a user-controlled key through the 'awwlm_remove_added_wishlist_page' AJAX action. As a consequence, these attackers can delete wishlist items from other users' wishlists, presenting a significant security risk and potential data loss for users relying on this functionality.

Affected Version(s)

Wishlist and Save for later for Woocommerce * <= 1.1.22

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/log/aco-wishlist-for-w...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Oct 22, 2025

Credit

Itthidej Aramsri

JSON