CVE-2025-49319: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-49319) was discovered in WPFactory Wishlist for WooCommerce plugin versions up to 3.2.3. The vulnerability was disclosed on July 10, 2025, and affects the access control security levels of the plugin (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS v3.1 Base Score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The security flaw stems from a missing capability check on a function, which allows for unauthorized access to certain functionalities (NVD, Rapid7).

The vulnerability enables unauthenticated attackers to perform unauthorized actions within the WooCommerce wishlist functionality. The impact primarily affects the integrity and availability of the system, while confidentiality remains uncompromised according to the CVSS scoring (Patchstack).

Users are advised to update to version 3.2.4 or later of the Wishlist for WooCommerce plugin to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).