The YITH WooCommerce Wishlist plugin allows an attacker to rename any user's wishlist. The vulnerability stems from inadequate validation of wishlist ownership in the save_title() AJAX handler. Only a nonce is checked, and the nonce is publicly exposed on the /wishlist/ page, enabling unauthenticated users to craft a request that changes a wishlist title. The primary impact is the alteration of user data—wishlist names—without consent, affecting the integrity and confidentiality of the wishlist information.

Any WordPress site that installs the YITH WooCommerce Wishlist plugin prior to version 4.13.0 is affected. The plugin, developed by YITH, is commonly used for e‑commerce wishlists. No further version details are supplied; therefore, all releases before 4.13.0 should be considered vulnerable.

The CVSS score of 6.5 designates medium severity, primarily because the flaw is exploitable without authentication. The EPSS score of less than 1% indicates low probability of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is simple: an unauthenticated attacker accesses the /wishlist/ page, obtains the public nonce, and sends a crafted AJAX request to rename any wishlist. The impact is limited to the integrity of user wishlists and could obscure user intent or mislead other site visitors. The vulnerability does not grant system compromise or data exfiltration.