CVE-2025-12115 - Vulnerability Details

- WPC Name Your Price for WooCommerce <= 2.1.9 - Unauthenticated Price Alteration

Description

The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it possible for unauthenticated attackers to purchase products at prices less than they should be able to.

Published: 2025-10-31

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WPC Name Your Price for WooCommerce plugin contains a flaw that allows unauthenticated users to set a custom price for products even when the feature has been disabled for those products. This leads to customers purchasing items at lower prices than intended, resulting in direct revenue loss and potential erosion of trust in the merchant’s pricing integrity. The weakness aligns with CWE‑602, where the plugin improperly permits the use of a function that should have been denied.

Affected Systems

WordPress sites using the WPC Name Your Price for WooCommerce plugin version 2.1.9 or earlier are affected; all releases up to and including 2.1.9 contain the vulnerability, while newer versions have the issue resolved.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity, but the EPSS score of <1% suggests a low likelihood of exploitation in the wild at this time. The attacker can trigger the flaw by submitting a purchase request without authentication, and no additional privileges or remote code execution are required. Although it is not listed in the CISA KEV catalog, e‑commerce operators should treat it as a critical issue for any site that utilizes the plugin.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpclever

WPC Name Your Price for WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.9

No data.

Vendor	Product	Confidence	Versions
Woocommerce	Woocommerce	—	—
Wordpress	Wordpress	—	—
Wpclever	Wpc Name Your Price For Woocommerce	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WPC Name Your Price for WooCommerce to version 2.2 or later.
If an immediate upgrade is not possible, disable the "Name Your Price" feature for all products or replace the plugin entirely.
Monitor transactions for unusually low prices and configure alerts to detect potential unauthorized purchases.

Generated by OpenCVE AI on April 21, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386310%40wpc-name-your-price&new=3386310%40wpc-name-your-price&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f64bc3c4-da89-4470-8353-d490f8bec408?source=cve

History

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Woocommerce Woocommerce woocommerce Wordpress Wordpress wordpress Wpclever Wpclever wpc Name Your Price For Woocommerce
Vendors & Products		Woocommerce Woocommerce woocommerce Wordpress Wordpress wordpress Wpclever Wpclever wpc Name Your Price For Woocommerce

Fri, 31 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 31 Oct 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it possible for unauthenticated attackers to purchase products at prices less than they should be able to.
Title		WPC Name Your Price for WooCommerce <= 2.1.9 - Unauthenticated Price Alteration
Weaknesses		CWE-602
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386310%40wpc-name-your-price&new=3386310%40wpc-name-your-price&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f64bc3c4-da89-4470-8353-d490f8bec408?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Woocommerce Woocommerce

Wordpress Wordpress

Wpclever Wpc Name Your Price For Woocommerce

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-31T09:27:21.530Z

Updated: 2026-04-08T17:33:31.563Z

Reserved: 2025-10-23T15:27:17.832Z

Link: CVE-2025-12115

Vulnrichment

Updated: 2025-10-31T18:43:33.665Z

NVD

Status : Deferred

Published: 2025-10-31T10:15:49.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12115

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses

CWE-602

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object