CVE-2025-11742 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WPC Smart Wishlist for WooCommerce plugin for WordPress. This plugin is widely used to enhance WooCommerce stores by allowing customers to save products to wishlists. The vulnerability stems from the absence of a capability check on the 'wishlist_quickview' AJAX action, which is responsible for retrieving wishlist data. Because of this missing authorization, any authenticated user with at least Subscriber-level access can invoke this AJAX endpoint to access wishlist data belonging to other users. This exposure is limited to data confidentiality, as the attacker cannot modify or delete wishlist data, nor does the vulnerability impact system availability. The CVSS 3.1 base score is 4.3, reflecting low complexity of attack (low attack complexity), network attack vector, and no user interaction required, but limited impact on confidentiality only. The vulnerability affects all versions up to and including 5.0.4 of the plugin. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The issue is particularly relevant for e-commerce sites relying on WooCommerce and this plugin, as wishlist data may contain sensitive customer preferences and behavioral insights. Attackers with subscriber accounts could leverage this vulnerability to harvest personal data, potentially aiding in profiling or targeted phishing attacks. The vulnerability was publicly disclosed on October 18, 2025, with Wordfence as the assigner. Given the plugin’s popularity, the attack surface is significant, especially for European e-commerce businesses.

For European organizations, the primary impact of CVE-2025-11742 is the unauthorized disclosure of customer wishlist data, which can include personal preferences and potentially sensitive information related to shopping habits. This breach of confidentiality can undermine customer trust and may lead to regulatory scrutiny under GDPR, especially if the data can be linked to identifiable individuals. Although the vulnerability does not allow data modification or service disruption, the exposure of personal data can facilitate social engineering, targeted phishing, or profiling attacks. E-commerce businesses relying on WooCommerce and this plugin risk reputational damage and potential legal consequences if customer data is mishandled. The ease of exploitation—requiring only subscriber-level authentication—means that attackers can create accounts or compromise low-privilege accounts to exploit the flaw. This increases the likelihood of exploitation in environments where user registration is open or poorly monitored. The vulnerability’s impact is thus primarily on confidentiality and privacy, with indirect effects on business operations and compliance posture.

1. Monitor for and apply any official patches or updates released by wpclever for the WPC Smart Wishlist plugin as soon as they become available. 2. In the absence of a patch, implement temporary access controls by restricting subscriber-level permissions to prevent unauthorized AJAX calls, possibly by disabling wishlist features for low-privilege users. 3. Employ Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting the 'wishlist_quickview' action from unauthorized users. 4. Audit user roles and registrations to limit the creation of unnecessary subscriber accounts and monitor for anomalous account activity. 5. Review and harden WordPress and WooCommerce security configurations, including limiting access to REST and AJAX endpoints. 6. Educate site administrators and developers about the vulnerability to ensure rapid response and awareness. 7. Consider implementing custom code to add authorization checks on the vulnerable AJAX endpoint if immediate patching is not possible. 8. Regularly review logs for unauthorized access attempts to wishlist data to detect exploitation attempts early.