Vulnerabilities and security researches forwishlist wishlist

Feb 27, 2025

CVE, Research URL: CVE-2025-26915
Home page URL: Security reports for Wishlist
Application: Wishlist
Date: Feb 25, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PickPlugins Wishlist allows SQL Injection. This issue affects Wishlist: from n/a through 1.0.41.
Affected versions: Min -, max -.
Status: vulnerable

Mar 08, 2025

CVE, Research URL: CVE-2024-12809
Home page URL: Security reports for Wishlist
Application: Wishlist
Date: Mar 07, 2025
Research Description: The Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishlist_button' shortcode in all versions up to, and including, 1.0.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Apr 06, 2025

CVE, Research URL: CVE-2025-32272
Home page URL: Security reports for Wishlist
Application: Wishlist
Date: Apr 04, 2025
Research Description: Wishlist [wishlist] <= 1.0.44 (unfixed) CVE-2025-32272 [en] Cross-Site Request Forgery (CSRF) vulnerability in PickPlugins Wishlist allows Cross Site Request Forgery. This issue affects Wishlist: from n/a through 1.0.44.
Affected versions: Min -, max -.
Status: vulnerable