WordPress Plugin Vulnerabilities

WooCommerce Wishlist < 1.8.8 - Unauthenticated Wishlist Disclosure via download_pdf_file Function

Description

The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.

Affects Plugins

Plugin icon
smart-wishlist-for-more-convert
Fixed in 1.8.8

References

CVE
CVE-2024-13694
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/59fe7630-ab94-419f-aca5-39b74d86ae4e

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
ed3db8cd-6365-436a-9227-aeb0c856b36c

Timeline

Publicly Published
2025-01-29 (about 1 year ago)
Added
2025-01-30 (about 1 year ago)
Last Updated
2025-01-30 (about 1 year ago)

Other

Published
Title
Published
2016-12-21
Title
trMedia for WordPress <= 4.2 - Unspecified Issues
Published
2023-05-30
Title
Blog-in-Blog <= 1.1.1 - Editor+ Local File Inclusion via Shortcode
Published
2018-01-18
Title
Instagram Feed < 1.6 - Cross-Site Scripting (XSS)
Published
2023-06-29
Title
Web3 – Crypto wallet Login & NFT token gating < 2.7.0 - Authentication Bypass
Published
2020-02-05
Title
Events Manager Pro < 2.6.7.2 - CSV Injection