CVE-2026-4432 | THREATINT

Description

The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.

PUBLISHED Reserved 2026-03-19 | Published 2026-04-10 | Updated 2026-04-10 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version before 4.13.0

affected

Credits

Chiao-Lin Yu (Steven Meow) finder

WPScan coordinator

References

wpscan.com/...rability/2f052086-b691-48df-9b08-2cb1db65e14e/ exploit vdb-entry technical-description

cve.org (CVE-2026-4432)

nvd.nist.gov (CVE-2026-4432)

Download JSON