CVE-2026-4432 YITH WooCommerce Wishlist < 4.13.0 - Unauthenticated Arbitrary Wishlist Renaming via IDOR
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the savetitle AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page,...