CVE-2025-11518 MEDIUM

CVE-2025-11518: WPC Smart Wishlist for WooCommerce <= 5.0.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation

Vendor Wpclever
Product WPC Smart Wishlist for WooCommerce
Weakness CWE-639 · IDOR
Published October 11, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key.

Explanation of Vulnerability in Simple Terms

02Summary

WPC Smart Wishlist for WooCommerce versions up to 5.0.3 contain an authorization bypass that allows unauthenticated attackers to modify wishlist data. The vulnerability requires no user interaction and can be exploited over the network. Site owners should update to a version newer than 5.0.3 to prevent unauthorized wishlist manipulation.

What an attacker can do

03Attacker Capabilities

Modify wishlist data without authentication or permission.

Potential impact on your site

04Site Impact

Attackers can alter customer wishlists, potentially disrupting shopping experience and data integrity.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

October 11, 2025 CVE published
April 8, 2026 Record updated