Missing authorization (CWE-862) in the TI WooCommerce Wishlist plugin allows attackers to exploit incorrectly configured access control settings, potentially enabling unauthorized access to or manipulation of users’ wishlists. The weakness can be used to view, edit, or delete wishlist items belonging to other users, exposing personal shopping preferences and possibly sensitive data.

The vulnerability affects WordPress sites that use the TI WooCommerce Wishlist plugin from the earliest release up through version 2.10.0. All installations running any version of the plugin in that range are potentially impacted, regardless of custom configuration. The affected product is developed by templateinvaders.

With a current CVSS score of 5.3, the issue is considered moderate and introduces a potential data privacy breach. The EPSS score of less than 1 % indicates that exploitation in the wild is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is likely remote via the WordPress web interface, meaning any attacker who can access the site could craft requests to reach the privileged plugin endpoints. Defensive measures should therefore focus on disabling or patching the plugin and ensuring proper access constraints.