Description
The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists.
Published: 2025-11-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of public wishlists
Action: Patch Immediately
AI Analysis

Impact

The QODE Wishlist for WooCommerce plugin contains an insecure direct object reference (CWE-639). The 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function accepts a user‑controlled key without validation, enabling an unauthenticated attacker to alter the public view of any wishlist. This could lead to unauthorized modifications of wishlist contents, mislead customers, and potentially impact trust.

Affected Systems

WordPress sites that have installed the QODE Wishlist for WooCommerce plugin, specifically any release up to and including version 1.2.7. The plugin is maintained by QODE Interactive.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests the exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, an attacker only needs to send a crafted request to the plugin’s AJAX endpoint; no prior authentication is required. The exploit path is therefore simple and could be automated if an attacker chooses to target multiple sites.

Generated by OpenCVE AI on April 21, 2026 at 01:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the QODE Wishlist for WooCommerce plugin to the latest version that removes the insecure key validation.
  • If an update is not immediately possible, restrict the wishlist update endpoint to authenticated users or add a CSRF token to protect against unauthorized requests.
  • Apply a web application firewall rule to block unauthenticated POST requests to the wishlist update URL and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 21, 2026 at 01:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive qode Wishlist For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Qodeinteractive
Qodeinteractive qode Wishlist For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 07:00:00 +0000

Type Values Removed Values Added
Description The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists.
Title QODE Wishlist for WooCommerce <= 1.2.7 - Unauthenticated Insecure Direct Object Reference to Wishlist Update
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Qodeinteractive Qode Wishlist For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:14.208Z

Reserved: 2025-11-13T23:05:58.684Z

Link: CVE-2025-13157

cve-icon Vulnrichment

Updated: 2025-11-28T16:04:53.799Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T07:15:54.943

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses