WordPress Plugin Vulnerabilities

ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call

Description

Some AJAX actions did not have proper CSRF and authorisation checks, allowing unauthorised call either via unauthenticated/low privilege users or CSRF, which could allow attackers to reset or change the settings of the plugin for example

Proof of Concept

Affects Plugins

Plugin icon
wishlist-and-compare
Fixed in 1.0.5

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.2 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
ad09a648-3c34-4870-b156-097af4fd7a57

Timeline

Publicly Published
2021-05-08 (about 4 years ago)
Added
2021-05-08 (about 4 years ago)
Last Updated
2021-05-08 (about 4 years ago)

Other

Published
Title
Published
2025-07-03
Title
DocCheck Login < 1.1.6 - Unauthorized Post Access
Published
2021-03-30
Title
Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation
Published
2024-02-19
Title
Coming Soon Maintenance Mode < 1.0.6 - Information Exposure
Published
2020-08-03
Title
Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
Published
2023-11-28
Title
JetEngine < 3.2.5 - Authenticated (Contributor+) Privilege Escalation