cleantalk
Vulnerabilities and Security Researches

YITH WooCommerce Wishlist, CVE-2026-4432

CVE, Research URL

CVE-2026-4432

Home page URL

Security reports for YITH WooCommerce Wishlist

Application

YITH WooCommerce Wishlist

Published on
Apr 10, 2026
Research Description
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.
Affected versions
max 4.13.0.
Status
vulnerable
Previous vulnerability researches
TZ Plus Gallery (CVE-2025-31756) , Apr 03, 2025
TZ Plus Gallery (CVE-2025-57974) , Apr 24, 2026
New vulnerability
WP-Members Membership Plugin (CVE-2025-57973) , Apr 25, 2026
WooCommerce Cart Abandonment Recovery (CVE-2026-39470) , Apr 25, 2026
a3 Lazy Load (CVE-2025-9873) , Apr 25, 2026
Brizy – Page Builder (CVE-2025-0969) , Apr 25, 2026
GHL Wizard (CVE-2025-5483) , Apr 25, 2026