The vulnerability is an instance of insecure direct object references that permits an attacker to retrieve or manipulate wishlist objects belonging to other users. This exploits improperly configured access control checks and is classified as CWE‑639. An adversary who can identify a valid wishlist identifier can directly access or modify entries they should not have permission to view or edit, potentially exposing personal data and compromising privacy.

The affected product is the YITH WooCommerce Wishlist plugin for WordPress, impacting all released versions up to and including 4.12.0. The issue is present from the first release through 4.12.0, with no mention of specific product variants. Admins should audit all WordPress sites that host this plugin within that version range.

The CVSS score of 5.3 indicates a moderate impact severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that it is not widely exploited yet. The attack vector is inferred to be remote via the web, as the plugin runs within the WordPress environment and accepts user‑controlled identifiers through requests. Successful exploitation would allow read or write access to another user’s wishlist items, potentially leading to privacy breaches or data tampering.