WordPress Plugin Vulnerabilities

TI WooCommerce Wishlist < 2.9.2 - Unauthenticated Plugin Setup Wizard Access

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.

Affects Plugins

Plugin icon
ti-woocommerce-wishlist
Fixed in 2.9.2

References

CVE
CVE-2024-10567
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0a5f2e1a-2216-4885-9b74-a08142816f2b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
abrahack
Verified
No
WPVDB ID
4b1cae90-897c-494d-9795-11fe3adde43c

Timeline

Publicly Published
2024-12-03 (about 1 year ago)
Added
2024-12-04 (about 1 year ago)
Last Updated
2024-12-04 (about 1 year ago)

Other

Published
Title
Published
2025-11-17
Title
Multiple Roles per User <= 1.0 - Missing Authorization to Authenticated (Custom+) Privilege Escalation
Published
2024-10-17
Title
SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion
Published
2026-01-23
Title
Alchemist Ajax Upload <= 1.1 - Missing Authorization to Unauthenticated Arbitrary Media File Deletion
Published
2025-06-05
Title
Wordapp <= 1.7.0 - Missing Authorization
Published
2026-01-28
Title
WP-CORS <= 0.2.2 - Missing Authorization