CVE-2025-13157: CWE-639 Authorization Bypass Through User-Controlled Key in qodeinteractive QODE Wishlist for WooCommerce
The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists.
AI Analysis
Technical Summary
CVE-2025-13157 is an insecure direct object reference vulnerability in the QODE Wishlist for WooCommerce plugin for WordPress, affecting all versions up to and including 1.2.7. The vulnerability arises from the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function, which fails to validate a user-controlled key, enabling unauthorized modification of wishlist public views by unauthenticated attackers. This issue is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 3.1 score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact.
Potential Impact
An attacker without authentication can update the public view of arbitrary wishlists, potentially altering wishlist data visible to users. There is no confidentiality or availability impact reported. The integrity of wishlist data is partially impacted due to unauthorized modifications.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should monitor vendor communications for updates. Applying any available plugin updates promptly once released is recommended. No specific temporary mitigations are provided in the current data.
CVE-2025-13157: CWE-639 Authorization Bypass Through User-Controlled Key in qodeinteractive QODE Wishlist for WooCommerce
Description
The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13157 is an insecure direct object reference vulnerability in the QODE Wishlist for WooCommerce plugin for WordPress, affecting all versions up to and including 1.2.7. The vulnerability arises from the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function, which fails to validate a user-controlled key, enabling unauthorized modification of wishlist public views by unauthenticated attackers. This issue is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 3.1 score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact.
Potential Impact
An attacker without authentication can update the public view of arbitrary wishlists, potentially altering wishlist data visible to users. There is no confidentiality or availability impact reported. The integrity of wishlist data is partially impacted due to unauthorized modifications.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should monitor vendor communications for updates. Applying any available plugin updates promptly once released is recommended. No specific temporary mitigations are provided in the current data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-13T23:05:58.684Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6927f676e2794b4b765ba39b
Added to database: 11/27/2025, 6:57:58 AM
Last enriched: 4/9/2026, 9:29:18 AM
Last updated: 5/9/2026, 9:40:22 PM
Views: 155
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.