Plugin is vulnerable to unauthenticated wishlist deletion

  • Currently there is no check in remove_all_from_wish_list wether the user id passed is the currently logged in user, this means anyone can just run this ajax hook over a list of ids (which are very easy to guess because incremental) and delete all the items in all the wishlists of everyone

Viewing 2 replies - 1 through 2 (of 2 total)

  • Dear Tovandel,

    I hope this message finds you well.

    Thank you for bringing this issue to our attention. I have forwarded the ticket to the appropriate developer for a thorough review of the identified vulnerabilities. I will keep you updated on any developments regarding the Wishlist for WooCommerce: Multi Wishlists Per Customer add-on.

    We greatly appreciate your valuable feedback.

    Best regards,
    WPFactory support team
    https://wpfactory.com

    Plugin Author Pablo Pacheco

    (@karzin)

    Hi @tofandel ,

    I believe I have been able to fix the issue on version 3.1.1 I just released.

    Please, update the plugin and let me know if it helps.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.