CVE-2025-12777

Name of the Vulnerable Software and Affected Versions YITH WooCommerce Wishlist plugin versions prior to 4.10.0

Description The YITH WooCommerce Wishlist plugin for WordPress has an authorization issue. The plugin does not properly verify user authorization for actions on the REST API endpoint /wp-json/yith/wishlist/v1/lists and the AJAX delete item handler. The REST API endpoint uses permission callback => ' return true', bypassing authorization checks. The AJAX delete item handler only validates nonce validity, lacking object-level authorization verification. This allows unauthenticated attackers to disclose wishlist tokens for any user and delete wishlist items by combining the REST API bypass with the exposed delete item nonce on shared wishlist pages and the missing authorization check in the AJAX handler.

Recommendations Update the YITH WooCommerce Wishlist plugin to version 4.10.0 or later.