Description
Missing Authorization vulnerability in WPClever WPC Smart Wishlist for WooCommerce woo-smart-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Smart Wishlist for WooCommerce: from n/a through <= 5.0.8.
Published: 2026-03-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The vulnerability is a Missing Authorization issue in the WordPress WPC Smart Wishlist for WooCommerce plugin allowing an attacker to bypass the plugin's access control and access wishlist functionality or data that should be protected. This enforcement weakness is classified as CWE‑862 and can potentially expose confidential wishlist information or alter wishlist state. The brief description indicates a simple access control bypass rather than external code execution or DoS.

Affected Systems

The affected vendor is WPClever and the product is the WPC Smart Wishlist for WooCommerce plugin. All releases through version 5.0.8 are impacted, including earlier unversioned or legacy releases. No higher version is specified as affected.

Risk and Exploitability

The CVSS v3.1 score is 4.3, indicating a Moderate severity. The EPSS score is below 1%, implying a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Because the issue is a Missing Authorization flaw, the likely attack vector is client‑side interaction with the plugin's endpoints or administrative console, and no elevated privileges are required. An attacker exploiting this flaw could read or modify wishlist data without authentication.

Generated by OpenCVE AI on March 19, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update that addresses the access control issue.
  • If an update is not yet available, disable or remove the plugin until a fix is released.
  • Verify that no users have exposed wishlist content by reviewing plugin role assignments and access permissions.
  • Monitor the plugin for any future security advisories or updates.

Generated by OpenCVE AI on March 19, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Smart Wishlist For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Smart Wishlist For Woocommerce

Sun, 15 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPClever WPC Smart Wishlist for WooCommerce woo-smart-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Smart Wishlist for WooCommerce: from n/a through <= 5.0.8.
Title WordPress WPC Smart Wishlist for WooCommerce plugin <= 5.0.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpclever Wpc Smart Wishlist For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:11.414Z

Reserved: 2026-03-12T11:11:14.586Z

Link: CVE-2026-32407

cve-icon Vulnrichment

Updated: 2026-03-13T18:55:16.236Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:57.210

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:55Z

Weaknesses