CVE-2026-4432

The YITH WooCommerce Wishlist plugin for WordPress, versions prior to 4.13.0, contains an Insecure Direct Object Reference (IDOR) vulnerability in the save_title() AJAX handler. The plugin fails to validate wishlist ownership before allowing renaming operations; it only verifies a nonce, which is publicly available in the page source of /wishlist/ pages. This design flaw enables unauthenticated attackers to specify an arbitrary wishlist ID [1].

An attacker can exploit this vulnerability by crafting a request to the save_title() AJAX action with a valid nonce (obtained from the frontend page) and a target wishlist ID belonging to another user. No authentication is required. The attacker can change the title of any existing wishlist to any desired text [1].

The impact is limited to unauthorized modification of wishlist names; however, this can lead to confusion, social engineering, or defacement of user wishlists. The plugin does not expose sensitive data through this action, and the CVSS v3 score of 6.5 reflects the medium severity due to low attack complexity and no privileges required [CVE Description].

The vulnerability was fixed in version 4.13.0 of the plugin. Site administrators are advised to update to the latest patched version immediately. No workaround has been provided, and the vulnerability is publicly known with a proof of concept available [1].