CVE-2026-32407

The WPC Smart Wishlist for WooCommerce plugin (slug: woo-smart-wishlist) for WordPress is affected by a missing authorization vulnerability in versions up to and including 5.0.8. The issue stems from incorrectly configured access control security levels, where functions or nonce tokens are not properly validated, allowing actions intended for higher-privileged users to be executed by unauthenticated or low-privileged attackers [1].

Exploitation does not require authentication or any special user role; an attacker can exploit this broken access control directly via crafted requests to the plugin's endpoints. The vulnerability is classified as a mass-exploit campaign target, meaning it can be used to attack thousands of websites simultaneously regardless of their size or popularity [1].

The impact of successful exploitation is that an attacker can perform unauthorized actions, such as modifying wishlist data or accessing functionalities that should be restricted, potentially leading to data exposure or other integrity violations. The CVSS v3 base score is 4.3 (Medium), but the advisory notes the severity is considered low for WordPress contexts [1].

The vulnerability has been patched in version 5.0.9. Users are strongly advised to update immediately. As a workaround for those who cannot update immediately, consulting with a hosting provider or web developer is recommended. Patchstack subscribers can enable auto-updates for this plugin [1].