CVE-2025-11742 identifies a missing authorization vulnerability (CWE-862) in the WPC Smart Wishlist for WooCommerce plugin for WordPress, specifically in the 'wishlist_quickview' AJAX action. This action lacks proper capability checks, allowing any authenticated user with at least Subscriber-level privileges to access wishlist data belonging to other users. The vulnerability affects all plugin versions up to and including 5.0.4. Since WooCommerce is a widely used e-commerce platform and this plugin adds wishlist functionality, the flaw exposes potentially sensitive user preference data to unauthorized internal users. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 score of 4.3 reflects a low complexity attack vector (network), low attack complexity, and privileges required at the low level (authenticated user). The impact is limited to confidentiality loss, with no integrity or availability effects. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on October 18, 2025, and assigned by Wordfence. Organizations running WooCommerce with this plugin should be aware of the risk of unauthorized data disclosure and monitor for updates or mitigations.

The primary impact of CVE-2025-11742 is unauthorized disclosure of user wishlist data within WooCommerce sites using the vulnerable plugin. This can lead to privacy violations, potential exposure of user preferences, and could aid attackers in profiling users or conducting targeted phishing or social engineering attacks. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach can undermine customer trust and violate data protection regulations such as GDPR or CCPA. For e-commerce businesses, this could result in reputational damage and potential legal consequences. The requirement for authenticated access limits the attack surface to registered users, but given that Subscriber-level accounts are common in WordPress sites, the risk remains significant. The vulnerability does not affect system availability or integrity, so operational disruption is unlikely. However, in environments where user data confidentiality is critical, this vulnerability poses a moderate risk.

To mitigate CVE-2025-11742, organizations should first check for any official patches or updates from the wpclever vendor and apply them immediately once available. In the absence of patches, administrators can implement temporary access controls by restricting Subscriber-level users from accessing the 'wishlist_quickview' AJAX endpoint via custom code or security plugins that enforce capability checks. Monitoring and logging AJAX requests related to wishlist functionality can help detect suspicious access patterns. Additionally, review user roles and permissions to ensure minimal privilege principles are enforced, possibly limiting Subscriber roles if not necessary. Employing Web Application Firewalls (WAFs) with custom rules to block unauthorized AJAX calls to the wishlist endpoint can also reduce risk. Finally, educating users and administrators about the vulnerability and encouraging strong authentication practices will help reduce exploitation likelihood.