CVE Alert: CVE-2025-12115 – wpclever – WPC Name Your Price for WooCommerce

Risk verdict

High risk: unauthenticated remote price manipulation is possible, creating potential fraud and revenue impact; patching should be prioritised.

Why this matters

Allows attackers to alter prices without authentication, compromising the integrity of orders. No user interaction is required, so exploitation can scale across exposed e-commerce deployments, risking underpriced transactions, chargebacks, and damaged trust.

Most likely attack path

An unauthenticated actor can send crafted requests over the network to a price/checkout workflow; server-side enforcement is weak, permitting client-controlled price changes. Precondition is the price feature not being disabled for a product, enabling price data to bypass safeguards and affect purchase totals.

Who is most exposed

Publicly accessible sites using the affected component, especially smaller shops with open checkout processes and limited server-side validation.

Detection ideas

• Final order prices diverge from product prices.
• Price fields in requests/checkout payloads appear manipulated.
• Clusters of low-price submissions from the same IP or user agent.
• Admin logs showing unexpected price overrides.
• Anomalies in checkout analytics tied to pricing changes.

Mitigation and prioritisation

• Apply the vendor patch or upgrade to a secure version; if unavailable, disable the custom-pricing feature or enforce server-side validation.
• Implement strict server-side price checks and invariant enforcement at checkout.
• Deploy WAF/monitoring to flag price-modification attempts; tighten input validation.
• Document changes in change-management records and test in staging prior to production rollout.
• If KEV is true or EPSS ≥ 0.5, treat as priority 1. (Data not provided; escalate only if these indicators are present.)