WordPress Plugin Vulnerabilities

QODE Wishlist for WooCommerce < 1.2.8 - Unauthenticated Insecure Direct Object Reference to Wishlist Update

Description

The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists.

Affects Plugins

Plugin icon
qode-wishlist-for-woocommerce
Fixed in 1.2.8

References

CVE
CVE-2025-13157
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b15d1992-ecf9-4253-b832-056b34f42b48

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada), Powpy, Peerapat Samatathanyakorn
Verified
No
WPVDB ID
630db9ba-c3c0-4b0b-90f0-553f131aaf4d

Timeline

Publicly Published
2025-11-26 (about 6 months ago)
Added
2025-11-26 (about 6 months ago)
Last Updated
2025-11-27 (about 6 months ago)

Other

Published
Title
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Poll Limit Bypass
Published
2025-11-24
Title
Frontend File Manager Plugin < 23.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming
Published
2024-12-05
Title
PowerPack Elementor Addons (Free Widgets, Extensions and Templates) < 2.8.2 - Authenticated (Contributor+) Post Disclosure
Published
2023-11-03
Title
Youzify < 1.2.3 - Insecure Direct Object Reference
Published
2025-12-29
Title
FiveStar <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference