CVE-2025-12358

ShopEngine <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation

Assigner: Wordfence
Reserved: 27.10.2025 Published: 03.12.2025 Updated: 03.12.2025

The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	roxnor
Product	ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
Versions	Default: unaffected affected from * to 4.8.5 (incl.)

Vendor

roxnor

Product

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

Versions

Default: unaffected

affected from * to 4.8.5 (incl.)

Credits

Adrian Lukita finder

References

Problem Types