Vulnerabilities and security researches foraco-wishlist-for-woocommerce aco-wishlist-for-woocommerce

Dec 11, 2025

CVE, Research URL: CVE-2025-12087
Home page URL: Security reports for Wishlist and Save for later for Woocommerce
Application: Wishlist and Save for later for Woocommerce
Date: Nov 12, 2025
Research Description: The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists.
Affected versions: max 1.1.23.
Status: vulnerable