{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11532", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-08T19:14:04.214Z", "datePublished": "2025-11-11T03:30:47.370Z", "dateUpdated": "2026-04-08T17:16:35.718Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:35.718Z"}, "affected": [{"vendor": "softivus", "product": "Wisly", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists."}], "title": "Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve"}, {"url": "https://wordpress.org/plugins/wisly/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2025-11-10T14:57:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:12:11.231194Z", "id": "CVE-2025-11532", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:05:28.344Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:12:11.231194Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:12:13.180Z"}}], "cna": {"title": "Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "softivus", "product": "Wisly", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T14:57:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve"}, {"url": "https://wordpress.org/plugins/wisly/"}], "descriptions": [{"lang": "en", "value": "The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:35.718Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11532", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:35.718Z", "dateReserved": "2025-10-08T19:14:04.214Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:47.370Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists."}], "id": "CVE-2025-11532", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:41.953", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wisly/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:36:22.249369+00:00", "value": {"mitigation_remediation": ["Update the Wisly plugin to a version newer than 1.0.0, which introduces validation for the 'wishlist_id' parameter.", "Prevent unauthenticated users from accessing the wishlist editing feature by configuring user role permissions in WordPress or using a plugin setting to disable the feature for non\u2011logged\u2011in users.", "Implement server\u2011side checks that reject any request containing a 'wishlist_id' unless the requester is authenticated and authorized to modify that specific wishlist."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated Wishlist Manipulation"}, "threat_synthesis": {"affected_systems": "All installations of Softivus Wisly version 1.0.0 or earlier on WordPress sites. The vulnerability applies to any site that has the plugin enabled and does not restrict wishlist editing to authenticated users.", "description_and_impact": "The Wisly WordPress plugin is vulnerable to an insecure direct object reference (CWE-639) that permits unauthenticated attackers to remove or add items to other users\u2019 wishlists. The flaw exists because the plugin fails to validate the user\u2011controlled 'wishlist_id' parameter before modifying wishlist contents. This weakness allows an attacker to alter any wishlist identified by that parameter, potentially changing, deleting, or exposing private wishlist items.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate risk. The EPSS score of less than 1% suggests that widespread exploitation is unlikely at present, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be external, via crafted HTTP requests that include an arbitrary 'wishlist_id'. An attacker only needs to supply a valid or guessed wishlist identifier and can add or delete items regardless of the wishlist owner\u2019s privileges."}}}}, "created": "2025-11-12T12:43:01.700476+00:00", "updated": "2026-04-22T00:45:04.155772+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}