Medium severity5.3NVD Advisory· Published Oct 11, 2025· Updated Apr 15, 2026

CVE-2025-11518

Description

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key.

Affected products

WordPress/Woo Smart Wishlistinferred
Range: <=5.0.3
Package: https://wordpress.org/plugins/woo-smart-wishlist

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/afe275b4-edc0-4b19-a91f-5099a085e8cenvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000