CVE-2025-13157
📋 TL;DR
The QODE Wishlist for WooCommerce WordPress plugin has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to modify the public visibility of any user's wishlist. This affects all WordPress sites using the plugin up to version 1.2.7. Attackers can manipulate wishlist privacy settings without authentication.
💻 Affected Systems
- QODE Wishlist for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could make private wishlists containing sensitive purchase intentions or gift ideas publicly accessible, potentially exposing personal information or compromising user privacy.
Likely Case
Malicious actors could disrupt user experience by changing wishlist visibility, causing confusion or exposing wishlist contents that users intended to keep private.
If Mitigated
With proper access controls and input validation, only authenticated users could modify their own wishlist settings, preventing unauthorized changes.
🎯 Exploit Status
The vulnerability is in the wishlist_table_item_callback function which lacks proper authorization checks on user-supplied wishlist IDs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.8
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3402469/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'QODE Wishlist for WooCommerce'. 4. Click 'Update Now' if available, or download version 1.2.8+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable the vulnerable plugin
allTemporarily deactivate the QODE Wishlist plugin until patched
wp plugin deactivate qode-wishlist-for-woocommerce
Restrict access to wishlist endpoints
linuxUse web application firewall or .htaccess to block unauthenticated access to wishlist AJAX endpoints
# Add to .htaccess: RewriteCond %{QUERY_STRING} qode_wishlist_for_woocommerce_wishlist_table_item_callback [NC]\nRewriteRule ^ - [F]
🧯 If You Can't Patch
- Disable the QODE Wishlist plugin entirely and use alternative wishlist functionality
- Implement network-level restrictions to block external access to the WordPress site's AJAX endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for QODE Wishlist for WooCommerce version. If version is 1.2.7 or lower, you are vulnerable.Check Version:
wp plugin get qode-wishlist-for-woocommerce --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.2.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'action=qode_wishlist_for_woocommerce_wishlist_table_item_callback' parameter from unauthenticated IPs
- Multiple wishlist visibility changes from single IP addresses
Network Indicators:
- HTTP POST requests to admin-ajax.php with wishlist ID manipulation parameters from external IPs without authentication cookies
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND params.action="qode_wishlist_for_woocommerce_wishlist_table_item_callback" AND NOT user_agent="WordPress/*"