CVE-2024-13694
Published: 30 January 2025
Description
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.
Security Summary
CVE-2024-13694 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the WooCommerce Wishlist plugin for WordPress, which offers high customization, fast setup, free Elementor integration, and extensive features. The issue exists in all versions up to and including 1.8.7, stemming from insufficient validation of a user-controlled key in the download_pdf_file() function. This flaw is associated with CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the user-controlled key, they gain unauthorized access to download PDF files containing wishlist data belonging to other users, potentially exposing sensitive product details, user preferences, or other private information stored in wishlists.
References include Wordfence threat intelligence detailing the vulnerability, WordPress plugin trac browser links to the affected code in class-wlfmc-form-handler.php and class-wlfmc-wishlist.php, a patch in changeset 3229758, and the plugin's developer page on WordPress.org, recommending updates to mitigated versions for remediation.
Details
- CWE(s)