CVE-2026-4432

CVE-2026-4432: YITH WooCommerce Wishlist < 4.13.0 - Unauthenticated Arbitrary Wishlist Renaming via IDOR

Vendor Unknown
Product YITH WooCommerce Wishlist
Published April 10, 2026
Last update April 10, 2026

CVSS base score

What the vulnerability does

01Description

The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.

Explanation of Vulnerability in Simple Terms

02Summary

A vulnerability exists in YITH WooCommerce Wishlist versions before 4.13.0. The specific attack vector and impact are not yet documented. Site administrators running affected versions should update to 4.13.0 or later. Check the plugin's changelog for details on what was patched.

What an attacker can do

03Attacker Capabilities

Unknown; insufficient technical details available.

Potential impact on your site

04Site Impact

Sites running YITH WooCommerce Wishlist < 4.13.0 may be at risk; update immediately.

Conditions required to exploit

05Prerequisites

Unknown; insufficient technical details available.

Key dates

06Disclosure timeline

April 10, 2026 CVE published
April 10, 2026 Record updated