{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11518", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-08T15:58:42.951Z", "datePublished": "2025-10-11T08:29:16.871Z", "dateUpdated": "2026-04-08T17:15:42.132Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:42.132Z"}, "affected": [{"vendor": "wpclever", "product": "WPC Smart Wishlist for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key."}], "title": "WPC Smart Wishlist for WooCommerce <= 5.0.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afe275b4-edc0-4b19-a91f-5099a085e8ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3375421%40woo-smart-wishlist&new=3375421%40woo-smart-wishlist&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-10-08T16:13:59.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-10T19:41:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-14T13:30:28.542898Z", "id": "CVE-2025-11518", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T14:11:19.421Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-14T13:30:28.542898Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T13:30:30.314Z"}}], "cna": {"title": "WPC Smart Wishlist for WooCommerce <= 5.0.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpclever", "product": "WPC Smart Wishlist for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-08T16:13:59.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-10T19:41:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afe275b4-edc0-4b19-a91f-5099a085e8ce?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3375421%40woo-smart-wishlist&new=3375421%40woo-smart-wishlist&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:42.132Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11518", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:42.132Z", "dateReserved": "2025-10-08T15:58:42.951Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-11T08:29:16.871Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key."}], "id": "CVE-2025-11518", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-11T09:15:32.653", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3375421%40woo-smart-wishlist&new=3375421%40woo-smart-wishlist&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afe275b4-edc0-4b19-a91f-5099a085e8ce?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:25:42.780041+00:00", "value": {"mitigation_remediation": ["Update the WPC Smart Wishlist for WooCommerce plugin to version 5.0.4 or later, which removes the exposed key from shared wishlists and adds proper permission checks on AJAX handlers.", "If an immediate upgrade is not possible, disable the shared wishlist feature or restrict access to the affected AJAX endpoints so that only authenticated owners can manipulate wishlists.", "Implement additional server\u2011side validation to ensure that any key used to identify a wishlist is bound to the requesting user's session and not supplied by an external user."], "summary": {"action": "Apply patch", "impact": "Unauthorized manipulation of user wishlists via insecure direct object reference"}, "threat_synthesis": {"affected_systems": "Affects the WordPress plugin WPC Smart Wishlist for WooCommerce, versions up to and including 5.0.3, installed on any WordPress site that uses the plugin and permits shared wishlists.", "description_and_impact": "The vulnerability resides in the WPC Smart Wishlist for WooCommerce plugin, allowing an unauthenticated attacker to use exposed AJAX endpoints and a user\u2011controlled key to empty or add items to any shared wishlist. Because the key is not validated, an attacker who knows or guesses the key can perform arbitrary modifications, violating the integrity of other users\u2019 wishlists. This weakness is a classic instance of CWE\u2011639: Insufficient Verification of Permissions Before Performing an Action.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending crafted AJAX requests with a known key, thus achieving unauthenticated wishlist manipulation without requiring user authentication or elevated privileges."}}}}, "created": "2025-10-20T16:17:05.340691+00:00", "updated": "2026-04-21T02:30:25.833264+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpclever", "wpclever$PRODUCT$wpc_smart_wishlist_for_woocommerce"]}