Published: 2025-11-27T07:15:54.943
Overview
CVE-2025-13157 is a medium severity vulnerability affecting the QODE Wishlist for WooCommerce plugin for WordPress. This plugin, in versions up to and including 1.2.7, is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This flaw allows unauthenticated attackers to modify the publicly displayed information of arbitrary wishlists on a vulnerable WooCommerce store.
Technical Details
The vulnerability lies within the qode_wishlist_for_woocommerce_wishlist_table_item_callback function in the inc/wishlist/shortcodes/wishlist-table/helper-ajax.php file. The plugin fails to properly validate user-supplied input, specifically a user-controlled key, when updating wishlist items. This lack of validation enables attackers to directly reference and modify wishlist data without proper authorization. This is a classic example of an IDOR, where an attacker can guess or enumerate the IDs of resources (in this case, wishlist items) and manipulate them.
The vulnerable code is related to how the plugin handles AJAX requests for updating the wishlist table. By manipulating the request parameters, an attacker can target any existing wishlist.
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 5.3
The CVSS score of 5.3 indicates a Medium severity vulnerability. While the impact is significant (modification of wishlist data), the attack complexity is relatively low and requires no authentication. The attack vector is network-based.
Possible Impact
Successful exploitation of this vulnerability could have several negative consequences:
- Defacement of Wishlists: Attackers can modify wishlist contents, potentially adding inappropriate or misleading items.
- Phishing Attacks: Modified wishlists could be used to redirect users to malicious websites or display deceptive messages.
- Reputation Damage: Compromised wishlists can erode customer trust in the website and brand.
Mitigation and Patch Steps
The vulnerability has been addressed in a later version of the QODE Wishlist for WooCommerce plugin. The following steps are recommended:
- Update the Plugin: Immediately update the QODE Wishlist for WooCommerce plugin to the latest available version through the WordPress dashboard. This is the most effective way to mitigate the vulnerability. The fix was introduced in this changeset.
- Monitor for Suspicious Activity: Keep an eye on your website’s logs and wishlist activity for any unusual behavior.
- Web Application Firewall (WAF): Consider using a WAF to provide an additional layer of security and potentially block exploitation attempts. However, updating the plugin is the primary recommended solution.
