PT-2025-48803 · Unknown+2 · Woocommerce+2

Adrian Lukita

Published

2025-12-03

Updated

2025-12-03

CVE-2025-12358

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions ShopEngine Elementor WooCommerce Builder Addon versions through 4.8.5

Description The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of missing nonce validation in the post add to list function and an incorrect permissions callback in the Api/init function. An unauthenticated attacker can add or remove products from a user's wishlist by exploiting a forged request, provided they can trick a user into performing an action.

Recommendations Update ShopEngine Elementor WooCommerce Builder Addon to a version later than 4.8.5.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2025-12358

Affected Products

Elementor

Shopengine Elementor Woocommerce Builder Addon

Woocommerce

PT-2025-48803 · Unknown+2 · Woocommerce+2

CVE-2025-12358

Weakness Enumeration

Related Identifiers

Affected Products

References · 5