CVE-2025-11518 | THREATINT

Description

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key.

PUBLISHED Reserved 2025-10-08 | Published 2025-10-11 | Updated 2025-10-11 | Assigner Wordfence

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

affected

Timeline

2025-10-08:	Vendor Notified
2025-10-10:	Disclosed

Credits

Athiwat Tiprasaharn finder

References

www.wordfence.com/...-edc0-4b19-a91f-5099a085e8ce?source=cve

plugins.trac.wordpress.org/...wishlist&sfp_email=&sfph_mail=

cve.org (CVE-2025-11518)

nvd.nist.gov (CVE-2025-11518)

Download JSON