cleantalk
Vulnerabilities and Security Researches

YITH WooCommerce Wishlist, CVE-2026-4432

CVE, Research URL

CVE-2026-4432

Home page URL

Security reports for YITH WooCommerce Wishlist

Application

YITH WooCommerce Wishlist

Published on
Apr 10, 2026
Research Description
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.
Affected versions
max 4.13.0.
Status
vulnerable
Previous vulnerability researches
Portfolio & Image Gallery for WordPress | PowerFolio (CVE-2024-22150) , Jun 07, 2024
Portfolio & Image Gallery for WordPress | PowerFolio (2dcc339fa5572c0b8975f48ffa24bcca0ae340a1) , Jun 07, 2024
Portfolio & Image Gallery for WordPress | PowerFolio (CVE-2022-4765) , Jun 07, 2024
Portfolio & Image Gallery for WordPress | PowerFolio (CVE-2025-57932) , Apr 24, 2026
Portfolio & Image Gallery for WordPress | PowerFolio (CVE-2022-4974) , Nov 15, 2024
New vulnerability
Best WooCommerce Builder for Elementor: Customize Checkout, Shop, Product & More With CoDesigner (CVE-2025-57961) , Apr 25, 2026
Themify Builder (CVE-2025-9353) , Apr 25, 2026
Zoho Flow (CVE-2025-8479) , Apr 25, 2026
Zoho Flow (CVE-2025-59568) , Apr 25, 2026
Sheets to WP Table Live Sync – WordPress Table Plugin with Google Sheets Integration (CVE-2025-9543) , Apr 25, 2026