CVE-2025-58247

What the

Vulnerability Is

CVE-2025-58247 is a missing authorization vulnerability in the TI WooCommerce Wishlist plugin for WordPress, affecting versions through 2.10.0. The plugin fails to properly enforce access control security levels, allowing exploitation of incorrectly configured access control mechanisms. This means that certain functions or endpoints that should require authentication or specific permissions are left unprotected [1].

How

It Is Exploited

An attacker can exploit this broken access control by sending crafted requests to the vulnerable plugin endpoints without needing any prior authentication. The vulnerability is particularly concerning because it can be used in mass-exploit campaigns, targeting thousands of websites at once regardless of their traffic size or popularity [1]. No special privileges or user interaction are required for exploitation.

Impact

Successful exploitation allows an unauthenticated attacker to perform actions that should be restricted to higher-privileged users, such as modifying wishlist data or accessing protected settings. While the CVSS score (5.3) indicates medium severity, the real-world risk is elevated by the plugin's wide usage and the potential for automated, widespread attacks [1].

Mitigation

Status

The vendor has released version 2.11.0 which fixes the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins only [1].