Improper Access Control in YITH WooCommerce Wishlist Plugin by YITH
CVE-2026-4432

Currently unrated

Key Information:

Vendor: WordPress
Status: Yith WooCommerce Wishlist
Vendor: CVE Published:; 10 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-4432?

The YITH WooCommerce Wishlist Plugin prior to version 4.13.0 lacks adequate validation of wishlist ownership within its AJAX handler for renaming operations. Specifically, it only verifies a valid nonce, which can be easily accessed through the public source of the /wishlist/ page. This oversight allows unauthenticated attackers to modify any wishlist's title, compromising user data integrity and trust.

Affected Version(s)

YITH WooCommerce Wishlist 0 < 4.13.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-4432 - Proof of Concept

References

https://wpscan.com/vulnerability/2f052086-b691-48df-9b08-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 10, 2026
👾
Exploit known to exist
Apr 10, 2026
Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 19, 2026

Credit

Chiao-Lin Yu (Steven Meow)

WPScan

CVE-2026-4432 Data

JSON

WordPress