CVE-2024-13694

HIGH

Moreconvert Woocommerce Wishlist < 1.8.8 - Improper Authorization

Title source: rule

Description

The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-form-handler.php#L607

Product

https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-wishlist.php#L529

Patch

https://plugins.trac.wordpress.org/changeset/3229758/

Product

https://wordpress.org/plugins/smart-wishlist-for-more-convert/#developers

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/59fe7630-ab94-419f-aca5-39b74d86ae4e?source=cve

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639 CWE-285

Status published

Products (2)

moreconvert/MoreConvert Wishlist for WooCommerce < 1.8.7

moreconvert/woocommerce_wishlist < 1.8.8

Published Jan 30, 2025

Tracked Since Feb 18, 2026