What the vulnerability does
01Description
The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.
Explanation of Vulnerability in Simple Terms
02Summary
The Wishlist and Save for later for WooCommerce plugin through version 1.1.22 contains an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter wishlist or saved item records belonging to other users or the site. No user interaction is required beyond initial authentication. Update to a version newer than 1.1.22.
What an attacker can do
03Attacker Capabilities
Modify wishlist or saved item data belonging to other users or the site.
Potential impact on your site
04Site Impact
Customer wishlist and saved item data can be altered or deleted by other authenticated users, affecting data integrity and customer trust.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the WooCommerce site (e.g., customer or subscriber role).
Key dates
06Disclosure timeline
November 12, 2025
CVE published
April 8, 2026
Record updated