YITH WooCommerce Wishlist Authorization Bypass Vulnerability Allowing Unauthenticated Token Disclosure and Item Deletion

A vulnerability exists in the YITH WooCommerce Wishlist plugin for WordPress, affecting all versions up to and including 4.10.0. The issue stems from improper authorization checks on the REST API endpoint '/wp-json/yith/wishlist/v1/lists' and the AJAX 'delete_item' handler. This oversight allows unauthenticated attackers to access wishlist tokens of any user and delete items from their wishlists. Exploitation involves combining the REST API authorization bypass with the 'delete_item' nonce available on shared wishlist pages.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of wishlist items for any user.

Reproduction

To reproduce this vulnerability, send a request to the '/wp-json/yith/wishlist/v1/lists' endpoint without proper authentication. This can be done using a tool like Postman or through a custom script. Once the request is sent, the response will include wishlist tokens for users. Next, use the 'delete_item' AJAX handler to remove items from the wishlist by providing the item ID and the corresponding nonce. This action can be performed without authentication, exploiting the lack of authorization checks on the REST API endpoint and the AJAX handler.

Remediation

Users are advised to update the YITH WooCommerce Wishlist plugin to version 4.10.1 or later.