WordPress Plugin Vulnerabilities

YITH WooCommerce Wishlist < 4.13.0 - Unauthenticated Arbitrary Wishlist Renaming via IDOR

Description

The plugin does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.

Proof of Concept

Affects Plugins

Plugin icon
yith-woocommerce-wishlist
Fixed in 4.13.0

References

CVE
CVE-2026-4432

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Chiao-Lin Yu (Steven Meow)
Submitter
Chiao-Lin Yu (Steven Meow)
Submitter website
https://www.linkedin.com/in/chiao-lin-yu-195533170/
Verified
Yes
WPVDB ID
2f052086-b691-48df-9b08-2cb1db65e14e

Timeline

Publicly Published
2026-03-20 (about 21 days ago)
Added
2026-03-20 (about 20 days ago)
Last Updated
2026-03-20 (about 20 days ago)

Other

Published
Title
Published
2025-11-18
Title
wpForo Forum < 2.4.11 - Missing Authorization
Published
2025-04-16
Title
ActiveDEMAND < 0.2.47 - Missing Authorization
Published
2025-12-31
Title
Watcher for Elementor <= 1.0.9 - Missing Authorization
Published
2025-01-06
Title
LazyLoad Background Images <= 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Published
2023-10-25
Title
YITH WooCommerce Product Add-Ons < 4.2.1 - Missing Authorization