Description
Missing Authorization vulnerability in Addonify Addonify – WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – WooCommerce Wishlist: from n/a through <= 2.0.15.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Plugin Settings
Action: Update Plugin
AI Analysis

Impact

WordPress Addonify – WooCommerce Wishlist plugin suffers a missing authorization flaw that allows an attacker to modify plugin settings without proper privilege verification. The vulnerability stems from an incorrectly implemented access control check, enabling unauthorized configuration changes. Altering these settings can disrupt normal wishlist functionality and potentially expose the site to further risks if the plugin’s configuration is used to control other features, but no additional exploitation beyond configuration changes is indicated in the CVE description.

Affected Systems

All installations of Addonify – WooCommerce Wishlist for WordPress that are at version 2.0.15 or earlier are susceptible. The flaw is confined to the plugin’s settings interface and does not affect WordPress core or unrelated plugins.

Risk and Exploitability

The CVSS score of 6.5 signals moderate severity. The EPSS score is below 1%, implying a low likelihood of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Likely exploitation occurs via the plugin’s settings page accessed in a web browser; it is inferred that the attacker may need any authenticated WordPress user whose session the plugin incorrectly trusts, but the CVE data does not explicitly state the required authentication level.

Generated by OpenCVE AI on April 28, 2026 at 09:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Addonify – WooCommerce Wishlist plugin to version 2.0.16 or later, which includes the access control fix.
  • Restrict the plugin’s settings page so that only users with the administrator role can make changes by verifying role checks in the WordPress back‑end.
  • Review the current wishlist configuration for unexpected values and consult server logs for unauthorized modifications to confirm whether the vulnerability has been exploited.

Generated by OpenCVE AI on April 28, 2026 at 09:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Addonify
Addonify addonify – Woocommerce Wishlist
Wordpress
Wordpress wordpress
Vendors & Products Addonify
Addonify addonify – Woocommerce Wishlist
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Addonify Addonify – WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – WooCommerce Wishlist: from n/a through <= 2.0.15.
Title WordPress Addonify – WooCommerce Wishlist plugin <= 2.0.15 - Settings Change vulnerability
Weaknesses CWE-862
References

Subscriptions

Addonify Addonify – Woocommerce Wishlist
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:55:21.612Z

Reserved: 2025-12-15T10:00:59.034Z

Link: CVE-2025-68024

cve-icon Vulnrichment

Updated: 2026-02-24T21:32:09.427Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:07.527

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:45:28Z

Weaknesses