CVE-2025-11518 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the WPC Smart Wishlist for WooCommerce plugin for WordPress. The vulnerability exists in all versions up to and including 5.0.3. The root cause is an Insecure Direct Object Reference (IDOR) in several AJAX functions that handle wishlist operations. Specifically, the plugin exposes a user-controlled key when wishlists are shared, but fails to validate this key properly on the server side before allowing modifications. As a result, an unauthenticated attacker who obtains or guesses this key can add or remove items from other users’ wishlists without authorization. The flaw affects the integrity of wishlist data but does not compromise confidentiality or availability. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts integrity only. No patches or exploits are currently documented, indicating this is a newly disclosed vulnerability. The plugin is widely used in WooCommerce-based e-commerce sites, which are prevalent in Europe. Attackers could leverage this vulnerability to manipulate user shopping preferences, potentially causing customer dissatisfaction or fraud. The vulnerability highlights the importance of validating user-controlled keys and enforcing strict authorization checks on shared resource operations in web applications.

For European organizations operating WooCommerce-based e-commerce platforms using the WPC Smart Wishlist plugin, this vulnerability poses a risk to the integrity of customer data. Attackers can alter wishlist contents, potentially misleading customers, disrupting marketing campaigns, or causing reputational damage. While the vulnerability does not expose sensitive personal information or disrupt service availability, the manipulation of wishlists can undermine user trust and affect sales. Retailers relying on wishlist data for personalized recommendations or promotions may see degraded effectiveness. The risk is heightened in countries with high WooCommerce market penetration such as the United Kingdom, Germany, France, and the Netherlands. Additionally, organizations subject to strict data integrity and consumer protection regulations (e.g., GDPR) must consider the compliance implications of unauthorized data manipulation. Although no active exploitation is reported, the ease of exploitation without authentication means attackers could opportunistically target vulnerable sites, especially those with publicly accessible wishlist keys.

Until an official patch is released, European organizations should implement several specific mitigations: 1) Restrict access to wishlist keys by ensuring they are not exposed in URLs or client-side code accessible to unauthorized users. 2) Implement server-side authorization checks that verify the requesting user’s permission to modify the wishlist associated with the provided key. 3) Monitor wishlist modification endpoints for anomalous activity, such as rapid or repeated changes from the same IP or unusual patterns inconsistent with normal user behavior. 4) Consider disabling the wishlist sharing feature temporarily if it cannot be secured. 5) Educate developers and administrators on secure handling of user-controlled keys and the risks of IDOR vulnerabilities. 6) Review and harden other AJAX endpoints in the WooCommerce environment for similar authorization weaknesses. 7) Engage with the plugin vendor or community to obtain or expedite a security patch. 8) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious wishlist modification requests referencing unauthorized keys.