CVE-2024-13718 in Flexible Wishlist for WooCommerce Plugininfo

Summary

by MITRE • 02/18/2025

The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.26. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to modify/update/create other user's wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/18/2025

The Flexible Wishlist for WooCommerce plugin presents a critical cross-site request forgery vulnerability that affects all versions through 1.2.26, creating a significant security risk for WordPress e-commerce environments. This vulnerability stems from inadequate nonce validation mechanisms within the plugin's core functionality, specifically targeting the wishlist management features that allow users to save products for later purchase. The flaw represents a fundamental breakdown in the plugin's security architecture, as it fails to properly verify the authenticity of requests originating from legitimate users versus malicious actors attempting to exploit the system.

The technical implementation of this vulnerability allows unauthenticated attackers to manipulate wishlist data through crafted forged requests that appear to come from legitimate administrative users. When an administrator clicks on a malicious link or performs an action that triggers the vulnerable functions, the forged requests can execute with elevated privileges, enabling unauthorized modifications to other users' wishlists. This creates a dangerous scenario where attackers can potentially access sensitive user data, manipulate product preferences, or even disrupt the normal operation of the e-commerce platform. The vulnerability operates at the application layer and specifically targets the plugin's user-facing interface functions that handle wishlist creation, modification, and deletion operations.

The operational impact of this CSRF vulnerability extends beyond simple data manipulation to potentially compromise user privacy and platform integrity within WooCommerce environments. Attackers could leverage this weakness to gain unauthorized access to user wishlist information, potentially exposing shopping preferences and behavioral patterns that could be used for targeted attacks or social engineering. The vulnerability particularly affects sites where administrators frequently interact with the plugin's administrative functions, as the attack vector relies on tricking legitimate users into performing actions that trigger the malicious requests. This makes the vulnerability especially dangerous in environments where administrators regularly visit external sites or receive phishing emails that could contain malicious links.

Security professionals should note that this vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery conditions in web applications. The flaw demonstrates poor input validation and insufficient request verification mechanisms that are commonly exploited in modern web attacks. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential exposure, as it allows attackers to perform actions on behalf of legitimate users without requiring authentication. Organizations should implement immediate mitigations including updating to the latest plugin version, implementing additional security layers such as Content Security Policy headers, and conducting thorough security audits of all installed plugins to identify similar vulnerabilities. The vulnerability also underscores the importance of proper nonce implementation in WordPress plugins and serves as a reminder that even seemingly simple features like wishlists can become attack vectors when proper security controls are not implemented.

Responsible

Wordfence

Reservation

01/24/2025

Disclosure

02/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00154

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!