Description
The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link.
Published: 2025-12-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enabling unauthenticated wishlist manipulation
Action: Patch
AI Analysis

Impact

The ShopEngine Elementor WooCommerce Builder Addon plugin is vulnerable to a CSRF flaw caused by missing nonce validation on the "post_add_to_list" endpoint and an incorrect permissions callback in its API initialization. An attacker who can convince a site user to visit a crafted link can add or remove items from that user's wishlist without authentication. The impact is a moderate integrity violation and potential commercial impact for e‑commerce sites that rely on wishlist integrity, but it does not expose sensitive data or allow code execution.

Affected Systems

All users of the roxnor ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution with version 4.8.5 or earlier are affected. Versions higher than 4.8.5 include the fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, while the EPSS score of less than 1% implies a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is web‑based: a malicious link or HTML payload that triggers a forged POST request to the vulnerable endpoint, requiring the victim to click the link or visit an embedded resource. Successful exploitation would allow an attacker to manipulate a user’s wishlist but does not enable broader attacks such as data exfiltration or remote code execution.

Generated by OpenCVE AI on April 22, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShopEngine plugin to the latest official release (4.8.6 or newer) to incorporate the missing nonce validation and correct permission checks.
  • If an upgrade is not immediately possible, configure the site’s web application firewall or security plugin to block unauthenticated requests to the "post_add_to_list" endpoint and the ShopEngine API initialization route.
  • Audit all installed third‑party plugins to ensure none contain similar CSRF weaknesses and disable or remove any that are unnecessary for site operation.

Generated by OpenCVE AI on April 22, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Roxnor
Roxnor shopengine Elementor Woocommerce Builder Addon
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Roxnor
Roxnor shopengine Elementor Woocommerce Builder Addon
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 03 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link.
Title ShopEngine <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Elementor Elementor
Roxnor Shopengine Elementor Woocommerce Builder Addon
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:48.815Z

Reserved: 2025-10-27T16:10:11.719Z

Link: CVE-2025-12358

cve-icon Vulnrichment

Updated: 2025-12-03T13:58:36.331Z

cve-icon NVD

Status : Deferred

Published: 2025-12-03T13:16:00.587

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses