{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13157", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-13T23:05:58.684Z", "datePublished": "2025-11-27T06:42:13.311Z", "dateUpdated": "2026-04-08T17:16:14.208Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:14.208Z"}, "affected": [{"vendor": "qodeinteractive", "product": "QODE Wishlist for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists."}], "title": "QODE Wishlist for WooCommerce <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b15d1992-ecf9-4253-b832-056b34f42b48?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qode-wishlist-for-woocommerce/trunk/inc/wishlist/shortcodes/wishlist-table/helper-ajax.php#L95"}, {"url": "https://plugins.trac.wordpress.org/changeset/3402469/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "timeline": [{"time": "2025-11-13T23:21:49.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-26T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T16:04:37.867112Z", "id": "CVE-2025-13157", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:05:01.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T16:04:37.867112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T16:04:53.799Z"}}], "cna": {"title": "QODE Wishlist for WooCommerce <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "qodeinteractive", "product": "QODE Wishlist for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-13T23:21:49.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-26T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b15d1992-ecf9-4253-b832-056b34f42b48?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qode-wishlist-for-woocommerce/trunk/inc/wishlist/shortcodes/wishlist-table/helper-ajax.php#L95"}, {"url": "https://plugins.trac.wordpress.org/changeset/3402469/"}], "descriptions": [{"lang": "en", "value": "The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-27T06:42:13.311Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13157", "state": "PUBLISHED", "dateUpdated": "2025-11-28T16:05:01.856Z", "dateReserved": "2025-11-13T23:05:58.684Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T06:42:13.311Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists."}], "id": "CVE-2025-13157", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T07:15:54.943", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/qode-wishlist-for-woocommerce/trunk/inc/wishlist/shortcodes/wishlist-table/helper-ajax.php#L95"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3402469/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b15d1992-ecf9-4253-b832-056b34f42b48?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:15:34.960521+00:00", "value": {"mitigation_remediation": ["Update the QODE Wishlist for WooCommerce plugin to the latest version that removes the insecure key validation.", "If an update is not immediately possible, restrict the wishlist update endpoint to authenticated users or add a CSRF token to protect against unauthorized requests.", "Apply a web application firewall rule to block unauthenticated POST requests to the wishlist update URL and monitor logs for suspicious activity."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized modification of public wishlists"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the QODE Wishlist for WooCommerce plugin, specifically any release up to and including version 1.2.7. The plugin is maintained by QODE Interactive.", "description_and_impact": "The QODE Wishlist for WooCommerce plugin contains an insecure direct object reference (CWE-639). The 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function accepts a user\u2011controlled key without validation, enabling an unauthenticated attacker to alter the public view of any wishlist. This could lead to unauthorized modifications of wishlist contents, mislead customers, and potentially impact trust.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests the exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, an attacker only needs to send a crafted request to the plugin\u2019s AJAX endpoint; no prior authentication is required. The exploit path is therefore simple and could be automated if an attacker chooses to target multiple sites."}}}}, "created": "2025-11-27T16:26:20.584500+00:00", "updated": "2026-04-21T01:30:24.382460+00:00", "vendors": ["qodeinteractive", "qodeinteractive$PRODUCT$qode_wishlist_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}