vulnerability

WordPress Plugin: woo-smart-wishlist: CVE-2025-11518: Authorization Bypass Through User-Controlled Key

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Oct 10, 2025	Oct 13, 2025	Oct 13, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Oct 10, 2025

Added

Oct 13, 2025

Modified

Oct 13, 2025

Description

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key.

Solution

woo-smart-wishlist-plugin-cve-2025-11518

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-11518
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/afe275b4-edc0-4b19-a91f-5099a085e8ce?source=api-prod
CVE-2025-11518
https://attackerkb.com/topics/CVE-2025-11518
CWE-639

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today