Description
The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.
Published: 2025-11-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Insecure deletion of other users' wishlist items via IDOR
Action: Apply updates
AI Analysis

Impact

The WooCommerce Wishlist plugin contains an insecure direct object reference in the ‘awwlm_remove_added_wishlist_page’ AJAX action. Because the request is not validated against the requester's identity, an authenticated user with a Subscriber role or higher can delete any wishlist item belonging to another user. This allows a malicious actor to erase selected products from other customers’ wishlists, damaging data integrity and potentially undermining customer trust in the e‑commerce platform, but it does not provide code execution or broader system compromise.

Affected Systems

Any WordPress site running the acowebs Wishlist and Save for later for WooCommerce plugin with a version of 1.1.22 or earlier, regardless of the WordPress or WooCommerce version, is affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% shows a very low current exploitation probability, and the vulnerability is not listed in CISA KEV. Exploitation requires a valid account; the attacker needs only Subscriber-level access, so the attack vector is user‑based. Although the impact is limited to data tampering, the ease of operation and lack of authentication checks raise the practical risk for sites with many active users.

Generated by OpenCVE AI on April 22, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Wishlist plugin to a version that removes the insecure AJAX action or, if no update is available, deactivate or uninstall the plugin immediately.
  • If the plugin must remain active, restrict the ‘awwlm_remove_added_wishlist_page’ action to administrator roles by adding a server‑side authorization check for the current user’s capability.
  • Add a Web Application Firewall rule that blocks or requires a valid nonce for requests to awwlm_remove_added_wishlist_page to reduce the chance of successful IDOR exploitation.

Generated by OpenCVE AI on April 22, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Acowebs
Acowebs wishlist And Save For Later For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Acowebs
Acowebs wishlist And Save For Later For Woocommerce
Wordpress
Wordpress wordpress

Wed, 12 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.
Title Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Acowebs Wishlist And Save For Later For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:31.576Z

Reserved: 2025-10-22T18:11:13.326Z

Link: CVE-2025-12087

cve-icon Vulnrichment

Updated: 2025-11-12T18:32:38.908Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T05:15:39.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses