CVE-2025-68024 identifies a missing authorization vulnerability in the Addonify – WooCommerce Wishlist plugin, specifically affecting versions up to and including 2.0.15. The vulnerability arises from incorrectly configured access control mechanisms within the plugin, which fail to properly verify whether a user has the necessary permissions to perform certain actions. This flaw can be exploited by an attacker to bypass security controls, potentially allowing unauthorized users to access or manipulate wishlist data or related functionality. Since WooCommerce is a widely used e-commerce platform, and the Addonify Wishlist plugin is a popular extension for adding wishlist capabilities, this vulnerability can impact a broad range of online stores. The technical details do not specify the exact nature of the unauthorized actions possible, but missing authorization typically enables attackers to perform operations reserved for authenticated or privileged users, such as viewing or modifying wishlist entries of other users. No public exploits have been reported yet, and no CVSS score has been assigned, indicating that the vulnerability is newly disclosed and may not yet be widely weaponized. The vulnerability does not require user interaction, increasing the risk of automated exploitation. The lack of patch links suggests that a fix may not yet be available, underscoring the need for vigilance and interim mitigations. The vulnerability was reserved in December 2025 and published in February 2026, reflecting recent discovery and disclosure.

The missing authorization vulnerability in the Addonify Wishlist plugin can have significant impacts on organizations operating WooCommerce-based e-commerce sites. Unauthorized access to wishlist data can lead to privacy violations, exposing customer preferences and potentially sensitive information. Attackers might manipulate wishlist contents, causing confusion or fraudulent activity, which can degrade customer trust and damage brand reputation. In some scenarios, unauthorized actions could be leveraged as a foothold for further attacks within the e-commerce environment, including privilege escalation or data tampering. The vulnerability could also disrupt normal business operations if exploited at scale, affecting availability or integrity of wishlist features. Given the widespread use of WooCommerce globally, the scope of affected systems is substantial. Although no exploits are currently known in the wild, the ease of exploitation due to missing authorization and lack of user interaction requirements increases the risk of future attacks. Organizations failing to address this vulnerability may face regulatory compliance issues related to data protection and security best practices.

Organizations should immediately audit their WooCommerce installations to identify if the Addonify – WooCommerce Wishlist plugin version 2.0.15 or earlier is in use. Until an official patch is released, administrators should consider disabling the plugin to prevent exploitation. Implementing web application firewall (WAF) rules to restrict access to wishlist-related endpoints can help mitigate unauthorized requests. Monitoring logs for unusual access patterns or unauthorized attempts targeting wishlist functionality is critical. Restricting access to the WordPress admin and plugin management interfaces through IP whitelisting or multi-factor authentication can reduce risk. Developers and site administrators should follow up with Addonify for updates or patches and apply them promptly once available. Additionally, reviewing and tightening overall access control policies within WooCommerce and related plugins can prevent similar issues. Educating staff on the risks of plugin vulnerabilities and maintaining a robust patch management process are also recommended.