CVE-2026-32407
Received Received - Intake
Missing Authorization in WPC Smart Wishlist Plugin Allows Unauthorized Access

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Patchstack

Description
Missing Authorization vulnerability in WPClever WPC Smart Wishlist for WooCommerce woo-smart-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Smart Wishlist for WooCommerce: from n/a through <= 5.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32407
EUVD
EUVD-2026-11924
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wplever wpc_smart_wishlist_for_woocommerce to 5.0.8 (inc)
wplever wpc_smart_wishlist to 5.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32407 is a Broken Access Control vulnerability in the WordPress plugin "WPC Smart Wishlist for WooCommerce" versions up to and including 5.0.8.'}, {'type': 'paragraph', 'content': 'The issue arises from missing authorization, authentication, or nonce token checks within certain functions, which allows unprivileged users, such as those with Subscriber-level privileges, to perform actions that should be restricted to higher-privileged roles.'}, {'type': 'paragraph', 'content': 'This vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.'}] [1]

Impact Analysis

The vulnerability allows low-privileged users to perform actions reserved for higher-privileged roles due to missing authorization checks.

However, the CVSS severity score is 4.3, indicating a low impact and low priority issue.

Overall, it is unlikely to be exploited with significant impact, but it still poses a risk of unauthorized actions within the affected plugin.

Users are advised to update to version 5.0.9 or later to mitigate this risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from missing authorization checks in the WPC Smart Wishlist for WooCommerce plugin versions up to 5.0.8, allowing low-privileged users to perform unauthorized actions.'}, {'type': 'paragraph', 'content': 'Detection would involve verifying the plugin version installed on your WordPress site and checking for unauthorized access attempts or actions performed by subscriber-level users that should require higher privileges.'}, {'type': 'paragraph', 'content': 'A practical step is to check the installed plugin version using WP-CLI with the command: wp plugin list | grep woo-smart-wishlist'}, {'type': 'paragraph', 'content': "Additionally, monitoring web server logs for suspicious requests to the plugin's endpoints by low-privileged users could help detect exploitation attempts."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the WPC Smart Wishlist for WooCommerce plugin to version 5.0.9 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "If immediate updating is not possible, restrict access to the plugin's functionality to trusted users only and monitor for unusual activity from subscriber-level accounts."}, {'type': 'paragraph', 'content': 'Using automated update tools like Patchstack can facilitate rapid deployment of the patched version.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart