The YITH WooCommerce Wishlist plugin for WordPress contains a flaw that allows an attacker to rename any user's wishlist without authentication. The AJAX endpoint save_title validates only a nonce that is embedded in the page source of the public /wishlist/ page, so an unauthenticated user can obtain the nonce, send a request, and change the title of any wishlist. This compromises data integrity, can mislead users, and facilitates social engineering or brand confusion. The weakness is an Insecure Direct Object Reference.

Any WordPress site that has the YITH WooCommerce Wishlist plugin installed and running a version earlier than 4.13.0 is affected. The vulnerability resides in the plugin itself and does not depend on specific versions of WordPress core or other plugins, so the impact applies to all installations of the affected plugin release.

Because no authentication is required and the required nonce is publicly retrievable, the attack path is straightforward. While no CVSS score is provided in the CVE data, the inherent privilege escalation and potential for user confusion suggest high impact. The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog; however the lack of mitigation and clear exploitation steps increase the likelihood that servers will be targeted once the exploit is discovered.