What the vulnerability does
01Description
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.
Explanation of Vulnerability in Simple Terms
02Summary
A vulnerability exists in YITH WooCommerce Wishlist versions before 4.13.0. The specific attack vector and impact are not yet documented. Site administrators running affected versions should update to 4.13.0 or later. Check the plugin's changelog for details on what was patched.
What an attacker can do
03Attacker Capabilities
Unknown; insufficient technical details available.
Potential impact on your site
04Site Impact
Sites running YITH WooCommerce Wishlist < 4.13.0 may be at risk; update immediately.
Conditions required to exploit
05Prerequisites
Unknown; insufficient technical details available.
Key dates
06Disclosure timeline
April 10, 2026
CVE published
April 10, 2026
Record updated