CVE-2026-27329
Deferred Deferred - Pending Action
Authorization Bypass in YITH WooCommerce Wishlist

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: Patchstack

Description
Authorization Bypass Through User-Controlled Key vulnerability in YITH YITH WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Wishlist: from n/a through 4.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27329
EUVD
EUVD-2026-28334
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yith yith_woocommerce_wishlist to 4.12.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27329 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress YITH WooCommerce Wishlist Plugin versions 4.12.0 and earlier.

This flaw allows unauthorized users to bypass authorization controls and access sensitive files, folders, or interact with the database due to improperly configured access control security levels.

It is classified under OWASP Top 10's A1: Broken Access Control and has a CVSS score of 5.3, indicating a low severity impact.

Impact Analysis

This vulnerability can allow unauthorized users to bypass access controls and gain access to sensitive data or interact with the database without permission.

While the severity is considered low, attackers could exploit this vulnerability in large-scale campaigns targeting thousands of websites, potentially leading to data exposure or unauthorized actions.

Users of the affected plugin versions are advised to update to version 4.13.0 immediately to mitigate this risk.

Mitigation Strategies

To mitigate the CVE-2026-27329 vulnerability in the YITH WooCommerce Wishlist plugin, you should immediately update the plugin to version 4.13.0 or later, where the issue has been patched.

If you are using Patchstack, enabling auto-updates for vulnerable plugins can help ensure you receive security patches promptly.

Since the vulnerability allows unauthorized access due to improper access controls, applying the update is the most effective immediate step to prevent exploitation.

Compliance Impact

The vulnerability allows unauthorized users to bypass authorization and access sensitive files, folders, or interact with the database due to improper access controls.

Such unauthorized access could potentially lead to exposure or manipulation of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls to protect personal and sensitive information.

However, the provided information does not explicitly mention the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart