CVE-2025-68024

The Addonify – WooCommerce Wishlist plugin for WordPress versions up to and including 2.0.15 contains a Missing Authorization vulnerability. This flaw allows attackers to exploit incorrectly configured access control security levels, enabling unauthorized modification of plugin settings without proper authentication [1].

The vulnerability can be exploited by unauthenticated attackers who send crafted requests to the affected plugin's endpoints. No special privileges or user interaction are required, making it accessible to anyone with network access to the WordPress site [1].

Successful exploitation allows an attacker to change the plugin's configuration settings. This could lead to disruption of the wishlist functionality, potential data exposure, or further compromise of the site depending on the settings that can be altered [1].

The vulnerability is patched in version 2.0.16 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update can be applied [1]. This vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns [1].