Yith Woocommerce Wishlist
Approved changes feed: RSS · Atom
cpe:2.3:a:yithemes:yith_woocommerce_wishlist:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Yithemes (3d8b3521-99a5-5f4f-9825-4a1663e47e91) |
|---|---|
| Product | Yith Woocommerce Wishlist (03607d42-29ac-5a27-adb6-a9c31dd2f849) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/wp-plugins/yith-woocommerce-wishlist |
purl2cpe | 2026-06-01 10:12:08.928734 |
pkg:github/wpplugins/yith-woocommerce-wishlist |
purl2cpe | 2026-06-01 10:12:08.928737 |
pkg:github/yithemes/yith-woocommerce-wishlist |
purl2cpe | 2026-06-01 10:12:08.928740 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-5238 |
vulnerable | 2026-06-03 15:06:27.320960 |
YITH WooCommerce Wishlist <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
MEDIUM (6.4)
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-14T09:23:34.023Z
Updated: 2026-04-08T16:59:24.712Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12777 |
vulnerable | 2026-06-03 14:58:44.846600 |
YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion
MEDIUM (5.3)
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback => '__return_true') and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler's missing object-level authorization check.
Published: 2025-11-19T03:29:38.579Z
Updated: 2026-04-08T16:32:20.417Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-12427 |
vulnerable | 2026-06-03 14:58:44.355188 |
YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename
MEDIUM (5.3)
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.
Published: 2025-11-19T03:29:39.992Z
Updated: 2026-04-08T17:35:24.978Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-34385 |
vulnerable | 2026-06-03 14:55:53.975505 |
WordPress YITH WooCommerce Wishlist plugin <= 3.32.0 - Cross Site Scripting (XSS) vulnerability
MEDIUM (5.9)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Wishlist yith-woocommerce-wishlist.This issue affects YITH WooCommerce Wishlist: from n/a through <= 3.32.0.
Published: 2024-06-03T11:41:00.230Z
Updated: 2026-04-28T16:09:47.920Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.