Does Wishlist have any unpatched vulnerabilities?

Yes — Wishlist currently has 5 published unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Wishlist compatible with WordPress 6.9.4?

According to WordPress.org data, Wishlist 1.0.46 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Wishlist updated?

Wishlist was last updated on Dec 10, 2025. Frequent updates are generally a positive security signal.

What is Wishlist's security score?

Wishlist has a WP-Safety security score of 44/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Wishlist Security & Risk Analysis

wordpress.org/plugins/wishlist

Add wishlist feature to your WooCommerce product or any post types.

400 active installs v1.0.46 PHP + WP 3.8+ Updated Dec 10, 2025

product-wishlistwish-listwishlistwoocommerce-wishlist

D · High Risk

CVEs total9

Unpatched5

Last CVEJun 4, 2025

Plugin page Download

Safety Verdict

Is Wishlist Safe to Use in 2026?

High Risk

Score 44/100

Wishlist carries significant security risk with 9 known CVEs, 5 still unpatched. Consider switching to a maintained alternative.

9 known CVEs 5 unpatched Last CVE: Jun 4, 2025Updated 5mo ago

Risk Assessment

The "wishlist" plugin v1.0.46 exhibits a concerning security posture, primarily due to its significant attack surface with a substantial number of unprotected AJAX handlers and a history of numerous, persistent vulnerabilities. While the static analysis indicates good practices in output escaping and a lack of dangerous functions or file operations, these strengths are overshadowed by critical weaknesses. The presence of 14 AJAX handlers without authentication checks creates a wide opening for potential unauthorized actions, and the taint analysis revealing unsanitized paths, though not critical or high severity, warrants attention. The plugin's vulnerability history is particularly alarming, with 9 known CVEs, 5 of which remain unpatched, covering common and severe vulnerability types like XSS, information exposure, missing authorization, CSRF, and SQL injection. This pattern suggests recurring security flaws that are not being adequately addressed, indicating a lack of robust security development lifecycle within the plugin's maintenance. In conclusion, despite some positive static analysis findings, the high number of unprotected entry points and the extensive unpatched vulnerability history make this plugin a significant risk.

Key Concerns

Unpatched CVEs present
High number of unprotected AJAX handlers
Unsanitized paths in taint analysis
Low percentage of prepared SQL statements
Low number of nonce checks relative to AJAX handlers

Vulnerabilities

9 published

Wishlist Security Vulnerabilities

CVEs by Year

9 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

9 total CVEs

CVE-2025-31061medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wishlist <= 2.1.0 - Reflected Cross-Site Scripting

Jun 4, 2025Unpatched

CVE-2025-49075medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wishlist <= 1.0.43 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 30, 2025 Patched in 1.0.44 (4d)

CVE-2025-31062medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Wishlist <= 2.1.0 - Authenticated (Subscriber+) Information Exposure

May 16, 2025Unpatched

CVE-2025-31063medium · 4.3Missing Authorization

Wishlist <= 2.1.0 - Missing Authorization

May 16, 2025Unpatched

CVE-2025-32618medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Wishlist <= 1.0.44 - Authenticated (Subscriber+) SQL Injection

Apr 9, 2025Unpatched

CVE-2025-32272medium · 4.3Cross-Site Request Forgery (CSRF)

Wishlist <= 1.0.44 - Cross-Site Request Forgery

Apr 4, 2025Unpatched

CVE-2024-12809medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wishlist <= 1.0.43 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 6, 2025 Patched in 1.0.44 (1d)

CVE-2025-26915medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Wishlist <= 1.0.41 - Authenticated (Contributor+) SQL Injection

Feb 23, 2025 Patched in 1.0.42 (9d)

CVE-2025-24655medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wishlist <= 1.0.39 - Reflected Cross-Site Scripting

Jan 15, 2025 Patched in 1.0.40 (98d)

Version History

Wishlist Release Timeline

v1.0.455 CVEs

CVE-2025-32272 CVE-2025-31062 CVE-2025-31063 +2 more

v1.0.445 CVEs

CVE-2025-32272 CVE-2025-31062 CVE-2025-31063 +2 more

v1.0.437 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +4 more

v1.0.418 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +5 more

v1.0.408 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +5 more

v1.0.389 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.379 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.369 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.359 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.349 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.339 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.329 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.319 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.309 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.299 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.289 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.269 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.259 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.249 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

v1.0.239 CVEs

CVE-2025-49075 CVE-2024-12809 CVE-2025-32272 +6 more

Code Analysis

Analyzed Mar 16, 2026

Wishlist Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

801 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

25% prepared8 total queries

Output Escaping

95% escaped840 total outputs

Data Flows · Security

3 unsanitized

Data Flow Analysis

6 flows3 with unsanitized paths

pickplugins_wl_ajax_update_vote (includes\functions-ajax.php:91)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

14 unprotected

Wishlist Attack Surface

Entry Points21

Unprotected14

AJAX Handlers 16

authwp_ajax_pickplugins_wl_ajax_offline_wishlist_itemsincludes\functions-ajax.php:38

noprivwp_ajax_pickplugins_wl_ajax_offline_wishlist_itemsincludes\functions-ajax.php:39

authwp_ajax_pickplugins_wl_ajax_wishlist_copyincludes\functions-ajax.php:83

noprivwp_ajax_pickplugins_wl_ajax_wishlist_copyincludes\functions-ajax.php:84

authwp_ajax_pickplugins_wl_ajax_update_voteincludes\functions-ajax.php:113

noprivwp_ajax_pickplugins_wl_ajax_update_voteincludes\functions-ajax.php:114

authwp_ajax_pickplugins_wl_ajax_sync_local_savedincludes\functions-ajax.php:149

noprivwp_ajax_pickplugins_wl_ajax_sync_local_savedincludes\functions-ajax.php:150

authwp_ajax_pickplugins_wl_ajax_update_wishlistincludes\functions-ajax.php:243

noprivwp_ajax_pickplugins_wl_ajax_update_wishlistincludes\functions-ajax.php:244

authwp_ajax_pickplugins_wl_ajax_remove_wishlist_itemincludes\functions-ajax.php:290

authwp_ajax_pickplugins_wl_ajax_get_wishlist_menu_itemsincludes\functions-ajax.php:376

noprivwp_ajax_pickplugins_wl_ajax_get_wishlist_menu_itemsincludes\functions-ajax.php:377

authwp_ajax_pickplugins_wl_ajax_add_remove_item_on_wishlistincludes\functions-ajax.php:424

authwp_ajax_pickplugins_wl_ajax_create_save_wishlistincludes\functions-ajax.php:464

noprivwp_ajax_pickplugins_wl_ajax_create_save_wishlistincludes\functions-ajax.php:465

Shortcodes 5

[wishlist_button] includes\classes\class-shortcodes.php:10

[wishlist_archive] includes\classes\class-shortcodes.php:11

[my_wishlist] includes\classes\class-shortcodes.php:12

[wishlist_single] includes\classes\class-shortcodes.php:14

[wishlist_count_by_post] includes\classes\class-shortcodes.php:15

WordPress Hooks 79

filterwishlist_settings_tabsincludes\3rd-party\easy-digital-downloads\functions.php:6

actionwishlist_settings_content_eddincludes\3rd-party\easy-digital-downloads\functions.php:30

filterwishlist_settings_tabsincludes\3rd-party\woocommerce\functions.php:6

actionwishlist_settings_content_woocommerceincludes\3rd-party\woocommerce\functions.php:30

actionwoocommerce_after_shop_loop_itemincludes\3rd-party\woocommerce\functions.php:175

actionwoocommerce_single_product_summaryincludes\3rd-party\woocommerce\functions.php:186

actionwoocommerce_single_product_summaryincludes\3rd-party\woocommerce\functions.php:197

actionwishlist_single_loop_mainincludes\3rd-party\woocommerce\functions.php:201

actioninitincludes\3rd-party\woocommerce\functions.php:203

actioninitincludes\3rd-party\woocommerce\functions.php:220

filterquery_varsincludes\3rd-party\woocommerce\functions.php:221

actionafter_switch_themeincludes\3rd-party\woocommerce\functions.php:222

filterwoocommerce_account_menu_itemsincludes\3rd-party\woocommerce\functions.php:223

actionwoocommerce_account_my_wishlist_endpointincludes\3rd-party\woocommerce\functions.php:224

actionadmin_noticesincludes\classes\class-admin-notices.php:10

filterdisplay_post_statesincludes\classes\class-column-wishlist.php:13

actionmanage_wishlist_posts_columnsincludes\classes\class-column-wishlist.php:15

actionmanage_wishlist_posts_custom_columnincludes\classes\class-column-wishlist.php:16

actionpost_row_actionsincludes\classes\class-column-wishlist.php:18

actionuser_has_capincludes\classes\class-column-wishlist.php:19

actionwishlist_metabox_content_optionsincludes\classes\class-metabox-wishlist-hook.php:6

actionwishlist_metabox_saveincludes\classes\class-metabox-wishlist-hook.php:73

actionadd_meta_boxesincludes\classes\class-metabox-wishlist.php:11

actionsave_postincludes\classes\class-metabox-wishlist.php:12

actioninitincludes\classes\class-post-types.php:13

actionadmin_menuincludes\classes\class-settings.php:8

actionthe_contentincludes\functions.php:8

actionthe_excerptincludes\functions.php:59

actionsingle_cat_titleincludes\functions.php:115

actionsingle_term_titleincludes\functions.php:116

actionsingle_tag_titleincludes\functions.php:117

actionterm_descriptionincludes\functions.php:183

actionedd_download_after_contentincludes\functions.php:418

actiondelete_postincludes\functions.php:429

actionwp_insert_postincludes\functions.php:731

actionwp_footerincludes\functions.php:793

actioninitincludes\functions.php:832

actionwishlist_settings_content_generalincludes\settings-hook.php:4

actionwishlist_settings_content_archivesincludes\settings-hook.php:536

actionwishlist_settings_content_my_wishlistincludes\settings-hook.php:660

actionwishlist_settings_content_wishlist_pageincludes\settings-hook.php:782

actionwishlist_settings_content_styleincludes\settings-hook.php:948

actionwishlist_settings_content_help_supportincludes\settings-hook.php:1107

actionwishlist_settings_content_buy_proincludes\settings-hook.php:1239

actionwishlist_settings_saveincludes\settings-hook.php:1506

actionmy_wishlisttemplates\my-wishlist\my-wishlist-hook.php:5

actionmy_wishlist_user_loggedtemplates\my-wishlist\my-wishlist-hook.php:36

actionmy_wishlist_after_looptemplates\my-wishlist\my-wishlist-hook.php:139

actionmy_wishlist_looptemplates\my-wishlist\my-wishlist-hook.php:174

actionmy_wishlist_user_not_loggedtemplates\my-wishlist\my-wishlist-hook.php:271

actionmy_wishlist_looptemplates\my-wishlist\my-wishlist-hook.php:288

actionwishlist_archivetemplates\wishlist-archive\wishlist-archive-hook.php:5

actionwishlist_archive_maintemplates\wishlist-archive\wishlist-archive-hook.php:57

actionwishlist_archive_after_looptemplates\wishlist-archive\wishlist-archive-hook.php:178

actionwishlist_archive_looptemplates\wishlist-archive\wishlist-archive-hook.php:214

actionwishlist_archivetemplates\wishlist-archive\wishlist-archive-hook.php:311

actionwishlist_buttontemplates\wishlist-button\wishlist-button-hook.php:5

actionwishlist_buttontemplates\wishlist-button\wishlist-button-hook.php:109

filterthe_contenttemplates\wishlist-single\wishlist-single-hook.php:21

actionwishlist_singletemplates\wishlist-single\wishlist-single-hook.php:24

actionwishlist_single_maintemplates\wishlist-single\wishlist-single-hook.php:118

actionwishlist_single_maintemplates\wishlist-single\wishlist-single-hook.php:170

actionwishlist_single_maintemplates\wishlist-single\wishlist-single-hook.php:180

actionwishlist_single_metatemplates\wishlist-single\wishlist-single-hook.php:197

actionwishlist_single_metatemplates\wishlist-single\wishlist-single-hook.php:237

actionwishlist_single_maintemplates\wishlist-single\wishlist-single-hook.php:298

actionwishlist_single_maintemplates\wishlist-single\wishlist-single-hook.php:372

actionwishlist_single_looptemplates\wishlist-single\wishlist-single-hook.php:472

actionwishlist_single_looptemplates\wishlist-single\wishlist-single-hook.php:490

actionwishlist_single_looptemplates\wishlist-single\wishlist-single-hook.php:543

actionwishlist_single_looptemplates\wishlist-single\wishlist-single-hook.php:581

actionwishlist_single_looptemplates\wishlist-single\wishlist-single-hook.php:599

actionwishlist_single_looptemplates\wishlist-single\wishlist-single-hook.php:614

actionwishlist_singletemplates\wishlist-single\wishlist-single-hook.php:627

actionplugins_loadedwishlist.php:30

actionplugins_loadedwishlist.php:31

actionadmin_enqueue_scriptswishlist.php:285

actionwp_enqueue_scriptswishlist.php:286

actionadmin_enqueue_scriptswishlist.php:287

Maintenance & Trust

Wishlist Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 10, 2025

PHP min version

Downloads30K

Community Trust

Rating76/100

Number of ratings13

Active installs400

Alternatives

Wishlist Alternatives

QODE Wishlist for WooCommerce

qode-wishlist-for-woocommerce

Qode Wishlist for WooCommerce plugin is the ideal toolkit for letting your visitors save & share comprehensive lists with their products of interest.

10K 1 CVE

Wishlist for WooCommerce: Multi Wishlists Per Customer

wish-list-for-woocommerce

Increase loyalty & sales by letting customers create, manage & share multiple wishlists on your WooCommerce store.

2K 5 CVEs

Addonify – WooCommerce Wishlist

addonify-wishlist

Addonify WooCommerce Wishlist is a light-weight yet powerful tool that adds a wishlist functionality to your e-commerce shop.

1K 1 CVE

WishSuite – Wishlist for WooCommerce

wishsuite

WishSuite integrates wishlist functionality into your WooCommerce store, so customers can easily add products to their wishlists for later purchases.

1K 5 CVEs

Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later

flexible-wishlist

Lightweight and simple WooCommerce wishlist. Increases sales. Fits any theme. Customizes texts and icons. Add to ecommerce wishlist with just 1 click.

900 2 CVEs

Developer Profile

Wishlist Developer Profile

PickPlugins

14 plugins · 94K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

330 days

View full developer profile

Detection Fingerprints

How We Detect Wishlist

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wishlist/assets/css/bootstrap-min.css/wp-content/plugins/wishlist/assets/css/bootstrap-select.min.css/wp-content/plugins/wishlist/assets/css/frontend.css/wp-content/plugins/wishlist/assets/css/owl.carousel.min.css/wp-content/plugins/wishlist/assets/css/owl.theme.default.min.css/wp-content/plugins/wishlist/assets/css/style.css/wp-content/plugins/wishlist/assets/js/bootstrap-min.js/wp-content/plugins/wishlist/assets/js/bootstrap-select.min.js+3 more

Script Paths

/wp-content/plugins/wishlist/assets/js/frontend.js/wp-content/plugins/wishlist/assets/js/script.js

Version Parameters

wishlist/assets/css/style.css?ver=wishlist/assets/css/frontend.css?ver=wishlist/assets/js/script.js?ver=wishlist/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

pickplugins-wishlist-containerpickplugins_wishlist_add_to_wishlistpickplugins_wishlist_remove_from_wishlistpickplugins_wishlist_wishlist_page_wrapper

HTML Comments

Wishlist for WooCommerce and Custom Post TypesAdd wish-list feature to your WooCommerce product or any post types.This is the default wishlist page. Shortcode: [my_wishlist]This is the wishlist archive page. Shortcode: [wishlist_archive]+1 more

Data Attributes

data-product_iddata-wishlist_iddata-user_iddata-wishlist-item-id

JS Globals

pickplugins_wishlist_optionswishlishtJSON

Shortcode Output

[my_wishlist][wishlist_archive]

FAQ

Wishlist Security & Risk Analysis

Is Wishlist Safe to Use in 2026?

High Risk

Key Concerns

Wishlist Security Vulnerabilities

CVEs by Year

Severity Breakdown

Wishlist Release Timeline

Wishlist Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Wishlist Attack Surface

AJAX Handlers 16

Shortcodes 5

Wishlist Maintenance & Trust

Maintenance Signals

Community Trust

Wishlist Alternatives

QODE Wishlist for WooCommerce

Wishlist for WooCommerce: Multi Wishlists Per Customer

Addonify – WooCommerce Wishlist

WishSuite – Wishlist for WooCommerce

Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later

Wishlist Developer Profile

How We Detect Wishlist

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Wishlist