Executive Summary

CVE-2026-4432 is an Insecure Direct Object Reference (IDOR) vulnerability in the YITH WooCommerce Wishlist WordPress plugin versions before 4.13.0.

The vulnerability occurs because the plugin's save_title() AJAX handler does not properly verify that the user requesting a wishlist rename actually owns that wishlist.

Instead, it only checks for a nonce token, which is publicly exposed in the page source of the /wishlist/ page, allowing unauthenticated attackers to rename any wishlist belonging to any user.

An attacker can extract the nonce from the page, identify a target wishlist ID, and send a crafted POST request to rename that wishlist without authorization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to rename any user's wishlist on a site running the vulnerable plugin.

Such unauthorized modifications can lead to confusion, loss of trust, and potential disruption of user experience on the affected e-commerce site.

It represents a medium severity risk (CVSS 5.3) due to broken access control, potentially undermining the integrity of user data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the site is running a vulnerable version of the YITH WooCommerce Wishlist plugin (prior to 4.13.0) and by attempting to identify if the `save_title` nonce is publicly accessible in the page source of the `/wishlist/` page.

To detect exploitation attempts or test the vulnerability, you can perform the following steps:

• Access the `/wishlist/` page and extract the `save_title` nonce from the page source.
• Identify a wishlist ID to target (this may require database access or monitoring network traffic).
• Send an unauthenticated POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with parameters: `action=save_title`, the extracted `nonce`, the `wishlist_id`, and a new `title`.

Example command using curl to test the vulnerability (replace placeholders accordingly):

• curl -X POST https://example.com/wp-admin/admin-ajax.php -d "action=save_title&nonce=EXTRACTED_NONCE&wishlist_id=TARGET_ID&title=NewTitle"

If the wishlist title changes without authentication or proper authorization, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to update the YITH WooCommerce Wishlist plugin to version 4.13.0 or later, where this vulnerability has been fixed.

Until the update can be applied, consider the following temporary measures:

• Restrict access to the `/wishlist/` page or the AJAX endpoint `/wp-admin/admin-ajax.php` to authenticated and authorized users only.
• Implement additional server-side access controls or firewall rules to block unauthenticated POST requests targeting the `save_title` action.
• Monitor logs for suspicious POST requests to the AJAX endpoint with the `save_title` action.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to rename any user's wishlist without proper authorization, indicating a failure in access control mechanisms.

Such unauthorized modification of user data can lead to violations of data protection principles required by standards like GDPR and HIPAA, which mandate strict controls over user data access and integrity.

Specifically, the lack of proper ownership validation and exposure of a nonce token publicly could be seen as a breach of confidentiality and integrity requirements, potentially impacting compliance with these regulations.

Useful 0 Not Useful 0