CVE-2025-68024
Missing Authorization in Addonify WooCommerce Wishlist
Publication date: 2026-02-20
Last updated on: 2026-02-24
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| addonify | addonify_woocommerce_wishlist | to 2.0.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-68024 is a medium priority vulnerability in the Addonify β WooCommerce Wishlist WordPress plugin versions up to and including 2.0.15.'}, {'type': 'paragraph', 'content': "The vulnerability is a 'Settings Change' issue caused by broken access control, classified under OWASP Top 10 A1."}, {'type': 'paragraph', 'content': 'It allows unauthenticated users to improperly change plugin settings due to incorrect access control configuration.'}, {'type': 'paragraph', 'content': 'This means attackers do not need any privileges to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'The issue was reported on November 22, 2025, and fixed in version 2.0.16 of the plugin.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to change the settings of the Addonify β WooCommerce Wishlist plugin.
Such unauthorized changes could lead to unexpected behavior of the plugin, potentially compromising the functionality or security of your WooCommerce site.
Because no authentication is required, attackers can exploit this vulnerability remotely without any prior access.
The CVSS score of 6.5 indicates a moderate severity and a reasonable likelihood of exploitation.
To mitigate the risk, users should update the plugin to version 2.0.16 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthenticated users being able to change settings improperly due to broken access control in the Addonify β WooCommerce Wishlist Plugin versions up to 2.0.15.'}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unauthorized changes to plugin settings or unusual HTTP requests targeting the Addonify Wishlist plugin endpoints.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': "Using web server logs to search for suspicious POST or GET requests to the plugin's settings URLs."}, {'type': 'list_item', 'content': 'Employing intrusion detection systems or web application firewalls (WAF) with rules targeting this vulnerability, such as those provided by Patchstack.'}, {'type': 'list_item', 'content': 'Checking the plugin version installed on your WordPress site to identify if it is vulnerable (version β€ 2.0.15).'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step to mitigate this vulnerability is to update the Addonify β WooCommerce Wishlist Plugin to version 2.0.16 or later, where the issue has been patched.
Until the plugin is updated, it is recommended to apply mitigation rules provided by Patchstack to block attacks targeting this vulnerability.
Additionally, monitoring and restricting access to the plugin settings endpoints can help reduce the risk of exploitation.