Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-68024 is a medium priority vulnerability in the Addonify – WooCommerce Wishlist WordPress plugin versions up to and including 2.0.15.'}, {'type': 'paragraph', 'content': "The vulnerability is a 'Settings Change' issue caused by broken access control, classified under OWASP Top 10 A1."}, {'type': 'paragraph', 'content': 'It allows unauthenticated users to improperly change plugin settings due to incorrect access control configuration.'}, {'type': 'paragraph', 'content': 'This means attackers do not need any privileges to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'The issue was reported on November 22, 2025, and fixed in version 2.0.16 of the plugin.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthorized users to change the settings of the Addonify – WooCommerce Wishlist plugin.

Such unauthorized changes could lead to unexpected behavior of the plugin, potentially compromising the functionality or security of your WooCommerce site.

Because no authentication is required, attackers can exploit this vulnerability remotely without any prior access.

The CVSS score of 6.5 indicates a moderate severity and a reasonable likelihood of exploitation.

To mitigate the risk, users should update the plugin to version 2.0.16 or later.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthenticated users being able to change settings improperly due to broken access control in the Addonify – WooCommerce Wishlist Plugin versions up to 2.0.15.'}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unauthorized changes to plugin settings or unusual HTTP requests targeting the Addonify Wishlist plugin endpoints.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': "Using web server logs to search for suspicious POST or GET requests to the plugin's settings URLs."}, {'type': 'list_item', 'content': 'Employing intrusion detection systems or web application firewalls (WAF) with rules targeting this vulnerability, such as those provided by Patchstack.'}, {'type': 'list_item', 'content': 'Checking the plugin version installed on your WordPress site to identify if it is vulnerable (version ≤ 2.0.15).'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to update the Addonify – WooCommerce Wishlist Plugin to version 2.0.16 or later, where the issue has been patched.

Until the plugin is updated, it is recommended to apply mitigation rules provided by Patchstack to block attacks targeting this vulnerability.

Additionally, monitoring and restricting access to the plugin settings endpoints can help reduce the risk of exploitation.

Useful 0 Not Useful 0