CVE-2025-11742
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to view other users' wishlist data through the WPC Smart Wishlist for WooCommerce plugin. It affects all versions up to and including 5.0.4 due to a missing capability check on an AJAX endpoint. Any WordPress site using this plugin with user accounts is potentially affected.
💻 Affected Systems
- WPC Smart Wishlist for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest sensitive customer wishlist data, potentially revealing personal shopping preferences, gift intentions, or upcoming purchases, leading to privacy violations and targeted phishing campaigns.
Likely Case
Low-privilege authenticated users can view wishlists of other customers, violating privacy expectations but not directly compromising administrative functions or payment data.
If Mitigated
With proper access controls and patching, only authorized users can view their own wishlists, maintaining expected privacy boundaries.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has a valid user account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.0.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WPC Smart Wishlist for WooCommerce'. 4. Click 'Update Now' if available, or manually update to version 5.0.5+. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
WordPressRemove or restrict access to the 'wishlist_quickview' AJAX action via WordPress hooks or firewall rules.
Add to theme's functions.php: remove_action('wp_ajax_wishlist_quickview', 'wishlist_quickview_callback'); remove_action('wp_ajax_nopriv_wishlist_quickview', 'wishlist_quickview_callback');
🧯 If You Can't Patch
- Temporarily deactivate the WPC Smart Wishlist plugin until patching is possible.
- Implement strict access controls and monitor for unusual wishlist access patterns.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for WPC Smart Wishlist version. If version is 5.0.4 or lower, the site is vulnerable.Check Version:
wp plugin list --name='WPC Smart Wishlist for WooCommerce' --field=versionVerify Fix Applied:
After updating, confirm the plugin version shows 5.0.5 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual frequency of AJAX requests to /wp-admin/admin-ajax.php with action=wishlist_quickview from non-admin users
- Multiple wishlist views from single user accounts in short timeframes
Network Indicators:
- HTTP POST requests to admin-ajax.php with wishlist_quickview action from unexpected IPs
SIEM Query:
source="wordpress.log" action="admin-ajax" wishlist_quickview | stats count by src_ip user