YITH WooCommerce Wishlist Missing Ownership Validation Vulnerability in AJAX Handler

A vulnerability exists in the YITH WooCommerce Wishlist WordPress plugin in versions prior to 4.13.0. The issue arises because the plugin's save_title() AJAX handler fails to properly validate ownership of wishlists before allowing users to rename them. The handler only verifies the nonce, which is publicly accessible in the page source of the /wishlist/ page. This oversight enables unauthenticated attackers to rename any wishlist belonging to any user on the site.

Impact

Exploitation of this vulnerability allows for unauthorized users to rename wishlists that belong to other users.

Reproduction

To reproduce this vulnerability, first visit the /wishlist/ page on a site with the vulnerable plugin version active. View the page source to locate the save_title nonce, which is exposed publicly. Next, identify a target wishlist ID, which can be obtained from the database or network traffic. Once the nonce and wishlist ID are available, send an unauthenticated POST request to wp-admin/admin-ajax.php. Include the action parameter set to save_title, the nonce obtained from the page source, the wishlist_id parameter with the target wishlist ID, and the title parameter with the desired new title. After sending the request, the wishlist title will be changed without any ownership verification.

Remediation

Users are advised to update the YITH WooCommerce Wishlist WordPress plugin to version 4.13.0 or later.