Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Wisly by softivus

    CVE-2025-11532 (GCVE-0-2025-11532)

    Vulnerability from nvd – Published: 2025-11-11 03:30 – Updated: 2026-04-08 17:16
    VLAI
    Title
    Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation
    Summary
    The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    softivus Wisly Affected: 0 , ≤ 1.0.0 (semver)
    Create a notification for this product.
    Credits
    Itthidej Aramsri
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-12T15:12:11.231194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-12T20:05:28.344Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Wisly",
              "vendor": "softivus",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Itthidej Aramsri"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the \u0027wishlist_id\u0027 user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user\u0027s wishlists."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:35.718Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/wisly/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-10T14:57:28.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Wisly \u003c= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11532",
        "datePublished": "2025-11-11T03:30:47.370Z",
        "dateReserved": "2025-10-08T19:14:04.214Z",
        "dateUpdated": "2026-04-08T17:16:35.718Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11532 (GCVE-0-2025-11532)

    Vulnerability from cvelistv5 – Published: 2025-11-11 03:30 – Updated: 2026-04-08 17:16
    VLAI
    Title
    Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation
    Summary
    The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the 'wishlist_id' user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user's wishlists.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    softivus Wisly Affected: 0 , ≤ 1.0.0 (semver)
    Create a notification for this product.
    Credits
    Itthidej Aramsri
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11532",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-12T15:12:11.231194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-12T20:05:28.344Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Wisly",
              "vendor": "softivus",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Itthidej Aramsri"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Wisly plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.0 due to missing validation on the \u0027wishlist_id\u0027 user controlled key. This makes it possible for unauthenticated attackers to remove and add items to other user\u0027s wishlists."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:35.718Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b311b404-f808-40fc-9f09-4eac05bce798?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/wisly/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-10T14:57:28.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Wisly \u003c= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11532",
        "datePublished": "2025-11-11T03:30:47.370Z",
        "dateReserved": "2025-10-08T19:14:04.214Z",
        "dateUpdated": "2026-04-08T17:16:35.718Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }