CVE-2025-11518
📋 TL;DR
The WPC Smart Wishlist for WooCommerce WordPress plugin has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to modify other users' wishlists if they obtain the wishlist sharing key. This affects all WordPress sites using this plugin up to version 5.0.3. Attackers can add or remove items from wishlists without authorization.
💻 Affected Systems
- WPC Smart Wishlist for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically empty all user wishlists, causing customer dissatisfaction and potential lost sales for e-commerce sites.
Likely Case
Malicious actors tampering with wishlists to add inappropriate items or remove desired items, disrupting user experience.
If Mitigated
Minimal impact with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires obtaining wishlist sharing keys, which are exposed when users share wishlists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPC Smart Wishlist for WooCommerce. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.0.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Wishlist Sharing
allTemporarily disable the wishlist sharing feature to prevent exposure of wishlist keys.
Restrict AJAX Endpoints
allUse web application firewall rules to restrict access to vulnerable AJAX endpoints.
🧯 If You Can't Patch
- Disable the WPC Smart Wishlist plugin entirely until patched
- Implement strict access controls and monitoring for wishlist-related AJAX requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WPC Smart Wishlist version. If version is 5.0.3 or lower, you are vulnerable.Check Version:
wp plugin list --name='WPC Smart Wishlist for WooCommerce' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 5.0.4 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to wishlist endpoints from unauthenticated users
- Multiple wishlist modification requests from single IP addresses
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with wishlist-related actions from unauthorized sources
SIEM Query:
source="web_logs" AND (uri="/wp-admin/admin-ajax.php" AND (action="wishlist_*" OR param="wishlist_key")) AND user="-"