CVE-2025-13157 MEDIUM

CVE-2025-13157: QODE Wishlist for WooCommerce <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update

Vendor Qodeinteractive
Product QODE Wishlist for WooCommerce
Weakness CWE-639 · IDOR
Published November 27, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists.

Explanation of Vulnerability in Simple Terms

02Summary

QODE Wishlist for WooCommerce versions 1.2.7 and earlier contain an authorization bypass that allows unauthenticated attackers to modify wishlist data. The vulnerability requires no user interaction and can be exploited over the network. Site administrators should update to a version newer than 1.2.7 to prevent unauthorized wishlist manipulation.

What an attacker can do

03Attacker Capabilities

Modify wishlist data without authentication or permission.

Potential impact on your site

04Site Impact

Attackers can alter customer wishlists, potentially disrupting shopping experience and data integrity.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 27, 2025 CVE published
April 8, 2026 Record updated