{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11742", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T14:04:03.801Z", "datePublished": "2025-10-18T05:41:56.648Z", "dateUpdated": "2026-04-08T16:56:40.379Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:40.379Z"}, "affected": [{"vendor": "wpclever", "product": "WPC Smart Wishlist for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's wishlist data and information."}], "title": "WPC Smart Wishlist for WooCommerce <= 5.0.4 - Missing Authorization to Authenticated (Subscriber+) Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60d65c7e-5533-4ac0-b2f0-339342224581?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378540%40woo-smart-wishlist&new=3378540%40woo-smart-wishlist&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-10-14T14:19:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-20T19:00:06.549583Z", "id": "CVE-2025-11742", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T19:00:15.871Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11742", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-20T19:00:06.549583Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-20T19:00:11.814Z"}}], "cna": {"title": "WPC Smart Wishlist for WooCommerce <= 5.0.4 - Missing Authorization to Authenticated (Subscriber+) Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpclever", "product": "WPC Smart Wishlist for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T14:19:15.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60d65c7e-5533-4ac0-b2f0-339342224581?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378540%40woo-smart-wishlist&new=3378540%40woo-smart-wishlist&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's wishlist data and information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:40.379Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11742", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:56:40.379Z", "dateReserved": "2025-10-14T14:04:03.801Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-18T05:41:56.648Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's wishlist data and information."}], "id": "CVE-2025-11742", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-18T06:15:38.537", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378540%40woo-smart-wishlist&new=3378540%40woo-smart-wishlist&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60d65c7e-5533-4ac0-b2f0-339342224581?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:43:29.777132+00:00", "value": {"mitigation_remediation": ["Upgrade the WPC Smart Wishlist for WooCommerce plugin to version 5.0.5 or higher, which includes the missing capability check on the wishlist_quickview action.", "Verify all installed plugins are up to date and review permissions for other plugins to ensure they do not expose similar data via AJAX endpoints.", "If an upgrade is not immediately possible, limit the access rights of Subscriber users by adjusting role capabilities so they cannot execute the 'wishlist_quickview' action until a patch is applied."], "summary": {"action": "Patch", "impact": "Information Disclosure to Authenticated Users"}, "threat_synthesis": {"affected_systems": "The affected product is WPC Smart Wishlist for WooCommerce (wpclever) in all releases up to and including version 5.0.4. Users running any version 5.0.4 or older are vulnerable regardless of how many sites or users they host.", "description_and_impact": "The vulnerability lies in the WPC Smart Wishlist for WooCommerce plugin where the AJAX endpoint 'wishlist_quickview' lacks the necessary capability check for the 'wishlist_quickview' action. This omission allows an authenticated WordPress user who holds at least a Subscriber role to request and view another user's wishlist data, including item details and personal information that should remain private. The weakness is defined as a missing authorization (CWE-862).", "risk_and_exploitability": "The CVSS score of 4.3 categorizes the vulnerability as Low. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The advisory notes that the issue is not listed in CISA's KEV catalog. The attack requires an authenticated user with Subscriber role or higher, who can then send AJAX requests to the 'wishlist_quickview' endpoint to retrieve another user\u2019s wishlist information."}}}}, "created": "2025-10-20T13:21:37.316790+00:00", "updated": "2026-04-22T12:45:17.031132+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpclever", "wpclever$PRODUCT$wpc_smart_wishlist_for_woocommerce"]}