Vulnerabilities and security researches forwoo-smart-wishlist woo-smart-wishlist

Jun 06, 2024

CVE, Research URL: CVE-2022-0397
Home page URL: Security reports for WPC Smart Wishlist for WooCommerce
Application: WPC Smart Wishlist for WooCommerce
Date: Mar 28, 2022
Research Description: The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.4 does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action's response (available to any authenticated user), leading to a Reflected Cross-Site Scripting
Affected versions: max 2.9.4.
Status: vulnerable

CVE, Research URL: CVE-2022-1465
Home page URL: Security reports for WPC Smart Wishlist for WooCommerce
Application: WPC Smart Wishlist for WooCommerce
Date: May 16, 2022
Research Description: The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue.
Affected versions: max 2.9.9.
Status: vulnerable

CVE, Research URL: CVE-2023-34386
Home page URL: Security reports for WPC Smart Wishlist for WooCommerce
Application: WPC Smart Wishlist for WooCommerce
Date: Nov 09, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Smart Wishlist for WooCommerce plugin <= 4.7.1 versions.
Affected versions: max 4.7.2.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-11742
Home page URL: Security reports for WPC Smart Wishlist for WooCommerce
Application: WPC Smart Wishlist for WooCommerce
Date: Oct 18, 2025
Research Description: The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's wishlist data and information.
Affected versions: max 5.0.5.
Status: vulnerable

CVE, Research URL: CVE-2025-11518
Home page URL: Security reports for WPC Smart Wishlist for WooCommerce
Application: WPC Smart Wishlist for WooCommerce
Date: Oct 11, 2025
Research Description: The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key.
Affected versions: max 5.0.4.
Status: vulnerable