3 matches found
CVE-2026-4432
CVE-2026-4432 concerns the YITH WooCommerce Wishlist WordPress plugin prior to 4.13.0. Publicly exposed nonce in the /wishlist page allows unauthenticated attackers to rename any wishlist, due to insufficient ownership validation in the save_title() AJAX handler. Technical details across connecte...
CVE-2025-12427 YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to...
WordPress YITH WooCommerce Wishlist plugin <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename vulnerability
Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin YITH WooCommerce Wishlist versions = 4.10.0...