CVE-2025-32272
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the PickPlugins Wishlist WordPress plugin allows attackers to trick authenticated users into performing unintended actions. This affects WordPress sites using Wishlist plugin versions up to 1.0.44. Attackers could manipulate wishlist operations when users visit malicious pages while logged in.
💻 Affected Systems
- PickPlugins Wishlist WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could add/remove items from user wishlists, manipulate wishlist settings, or potentially chain with other vulnerabilities for more severe impact.
Likely Case
Unauthorized modification of user wishlists, potentially affecting e-commerce functionality and user experience.
If Mitigated
Minimal impact with proper CSRF protections and user awareness about suspicious links.
🎯 Exploit Status
CSRF attacks typically require user interaction (visiting malicious page while authenticated).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.45 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Wishlist' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.0.45+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Wishlist plugin until patched
wp plugin deactivate wishlist
CSRF Protection Middleware
allImplement additional CSRF protection at application level
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers
- Educate users about not clicking suspicious links while logged in
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Wishlist version numberCheck Version:
wp plugin get wishlist --field=versionVerify Fix Applied:
Verify plugin version is 1.0.45 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual wishlist modification patterns
- CSRF token validation failures
Network Indicators:
- Requests to wishlist endpoints without proper referrer headers
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "wishlist") AND referrer NOT CONTAINS own_domain