CVE-2024-13694
WooCommerce Wishlist <= 1.8.7 - Unauthenticated Wishlist Disclosure via download_pdf_file Function
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.
| CWE | CWE-285 |
| Vendor | moreconvert |
| Product | moreconvert wishlist for woocommerce |
| Published | Jan 30, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for moreconvert moreconvert wishlist for woocommerce
Be the first to know when new high vulnerabilities affecting moreconvert moreconvert wishlist for woocommerce are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
moreconvert / MoreConvert Wishlist for WooCommerce
0 โค 1.8.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/59fe7630-ab94-419f-aca5-39b74d86ae4e?source=cve wordpress.org: https://wordpress.org/plugins/smart-wishlist-for-more-convert/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-form-handler.php#L607 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/smart-wishlist-for-more-convert/trunk/includes/class-wlfmc-wishlist.php#L529 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3229758/
Credits
Tim Coen