CVE-2025-32272 Overview
CVE-2025-32272 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the PickPlugins Wishlist plugin for WordPress. The flaw affects all versions of the plugin up to and including 1.0.46. An attacker who tricks an authenticated user into visiting a crafted page can force that user's browser to submit unintended state-changing requests to the vulnerable site. The issue is categorized as a network-exploitable weakness that requires user interaction and produces limited integrity impact.
Critical Impact
Attackers can coerce authenticated WordPress users into performing unintended actions in the Wishlist plugin, resulting in unauthorized state changes without the victim's consent.
Affected Products
- PickPlugins Wishlist plugin for WordPress
- All versions from n/a through <= 1.0.46
- WordPress sites running the vulnerable Wishlist plugin
Discovery Timeline
- 2025-04-04 - CVE-2025-32272 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-32272
Vulnerability Analysis
The Wishlist plugin fails to validate the origin and intent of state-changing HTTP requests. WordPress provides a nonce mechanism to bind requests to authenticated sessions, but the affected plugin endpoints do not verify this token consistently. As a result, an attacker-controlled page can trigger authenticated actions against the target site when a logged-in user visits it.
Exploitation requires the victim to interact with attacker-controlled content, such as clicking a link or loading a page hosting a hidden form. The impact is limited to integrity effects on plugin data, with no direct confidentiality or availability loss reported. The vulnerability aligns with the CWE-352 pattern where authentication is present but request authenticity is not enforced.
Root Cause
The root cause is missing or insufficient CSRF token validation on plugin request handlers. WordPress plugins are expected to use wp_nonce_field() and check_admin_referer() or wp_verify_nonce() on any endpoint that mutates state. In Wishlist versions through 1.0.46, one or more handlers accept requests without verifying a nonce tied to the current user session.
Attack Vector
An attacker crafts a malicious HTML page containing a form or JavaScript that submits a request to the vulnerable Wishlist endpoint. The attacker then lures an authenticated WordPress user, such as an administrator or subscriber with wishlist privileges, to visit the page. The browser attaches the user's session cookies automatically, and the plugin processes the forged request as legitimate.
Because the attack vector is network-based and requires no privileges from the attacker, any publicly reachable WordPress site with an active session user is exposed. See the Patchstack WordPress Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-32272
Indicators of Compromise
- Unexpected modifications to wishlist entries, user metadata, or plugin settings without corresponding administrator activity.
- Web server access logs showing POST requests to Wishlist plugin endpoints with Referer headers pointing to external, untrusted domains.
- Authenticated requests missing the expected _wpnonce parameter on state-changing Wishlist actions.
Detection Strategies
- Inspect access logs for cross-origin requests targeting Wishlist plugin URLs during active administrator sessions.
- Correlate WordPress audit trail entries with browsing activity to identify plugin actions users did not knowingly initiate.
- Deploy a Web Application Firewall (WAF) rule set that flags state-changing requests lacking valid WordPress nonces.
Monitoring Recommendations
- Enable WordPress activity logging to record all changes performed through the Wishlist plugin.
- Monitor for anomalous spikes in Wishlist-related POST requests originating from a narrow set of client IPs.
- Alert on requests to plugin endpoints with Referer values outside the site's own domain.
How to Mitigate CVE-2025-32272
Immediate Actions Required
- Update the PickPlugins Wishlist plugin to a version later than 1.0.46 as soon as a fixed release is available.
- Audit administrator and privileged user accounts for any unauthorized wishlist or plugin configuration changes.
- Instruct privileged users to log out of the WordPress admin dashboard when not actively working on the site.
Patch Information
At the time of the last NVD update on 2026-06-17, the vulnerability is reported as affecting versions through <= 1.0.46. Administrators should consult the Patchstack advisory and the plugin repository for the current fixed release and apply it across all environments.
Workarounds
- Deactivate the Wishlist plugin until a patched version is installed if the functionality is not business-critical.
- Deploy a WAF rule that blocks POST requests to Wishlist endpoints when the Referer header does not match the site's domain.
- Enforce SameSite=Lax or SameSite=Strict attributes on WordPress authentication cookies to reduce cross-origin request risk.
# Example WAF rule (ModSecurity) to block cross-origin POSTs to the Wishlist plugin
SecRule REQUEST_METHOD "@streq POST" \
"chain,phase:1,deny,status:403,id:1003272,\
msg:'CVE-2025-32272 - Cross-origin POST to Wishlist plugin blocked'"
SecRule REQUEST_URI "@contains /wp-content/plugins/wishlist/" \
"chain"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://your-site.example/" \
"t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

