Description

The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.

INFO

Published Date :

2026-04-10T06:00:15.515Z

Last Modified :

2026-04-10T18:35:19.917Z

Source :

WPScan
AFFECTED PRODUCTS

The following products are affected by CVE-2026-4432 vulnerability.

Vendors Products
Wordpress
  • Wordpress
Yithemes
  • Yith Woocommerce Wishlist
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-4432.

URL Resource
https://wpscan.com/vulnerability/2f052086-b691-48df-9b08-2cb1db65e14e/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System