Attack Vectors

Addonify – WooCommerce Wishlist (slug: addonify-wishlist) has a Medium-severity vulnerability (CVSS 5.3) that can be exploited over the network with no login required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Because the issue is exploitable by unauthenticated users, an attacker does not need a customer account or admin access to attempt the unauthorized action. This is especially relevant for marketing and ecommerce sites where public traffic is high and attack scanning is constant.

Security Weakness

CVE-2025-68024 impacts all versions of Addonify – WooCommerce Wishlist up to and including 2.0.15. The root cause is a missing capability check on a plugin function, which can allow an unauthenticated attacker to perform an unauthorized settings update action.

Official references: CVE-2025-68024 record and the write-up from Wordfence Threat Intelligence.

Technical or Business Impacts

The primary impact is on integrity (unauthorized changes), not confidentiality or availability, aligning with the CVSS vector (C:N / I:L / A:N). In business terms, unauthorized changes to plugin settings can create unexpected on-site behavior that affects customer journeys and conversion performance.

For marketing directors and executives, the key risks include brand trust (site behavior changes that confuse shoppers), revenue leakage (wishlist and shopping flows not behaving as intended), and operational disruption (time spent diagnosing “mysterious” ecommerce issues rather than running campaigns). Compliance teams should also note that unauthorized configuration changes may complicate internal control requirements for change management.

Remediation: Update Addonify – WooCommerce Wishlist to version 2.0.16 or newer (patched). As a best practice, confirm the update in staging first, then validate wishlist-related user flows after deployment.

Similar Attacks

Unauthenticated or low-friction modification vulnerabilities are a recurring theme in content management systems. A widely cited example is WordPress REST API content injection (CVE-2017-5487), which allowed unauthorized users to modify content in certain WordPress versions—demonstrating how missing or insufficient authorization checks can lead directly to integrity-impacting outcomes.