What the vulnerability does
01Description
Authorization Bypass Through User-Controlled Key vulnerability in YITH YITH WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects YITH WooCommerce Wishlist: from n/a through 4.12.0.
Explanation of Vulnerability in Simple Terms
02Summary
YITH WooCommerce Wishlist versions up to 4.12.0 contain an integrity vulnerability allowing unauthenticated attackers to modify data over the network without user interaction. The vulnerability has a CVSS score of 5.3 (medium severity). No confidentiality or availability impact is present. Update to a version newer than 4.12.0 to remediate.
What an attacker can do
03Attacker Capabilities
Modify wishlist data or related information without authentication.
Potential impact on your site
04Site Impact
Wishlist data integrity cannot be guaranteed; attackers can alter customer wishlists without logging in.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 7, 2026
CVE published
May 7, 2026
Record updated