← back
CVE-2025-11532

Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation

CVSS 5.3 MEDIUMEPSS 0.2%CWE-639
The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
softivus · Wisly

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wordpress.org/plugins/wisly/https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve