CVE-2024-13694

WooCommerce Wishlist <= 1.8.7 - Unauthenticated Wishlist Disclosure via download_pdf_file Function

CVSS 7.5 HIGHEPSS 0.5%CWE-285

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.5EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

30 ene 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Productos afectados

moreconvert · MoreConvert Wishlist for WooCommerce

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-form-handler.php#L607 https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-wishlist.php#L529 https://plugins.trac.wordpress.org/changeset/3229758/https://wordpress.org/plugins/smart-wishlist-for-more-convert/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/59fe7630-ab94-419f-aca5-39b74d86ae4e?source=cve