CVE-2024-13718: 
WordPress vulnerability analysis and mitigation

The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.2.26. The vulnerability was discovered and reported by Tim Coen, with a CVSS v3.1 base score of 4.3 (Medium) (Wordfence Advisory).

The vulnerability stems from missing or incorrect nonce validation on several functions within the plugin. This security flaw has been assigned CVE-2024-13718 and received a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required for exploitation (NVD).

The vulnerability allows unauthenticated attackers to modify, update, or create other users' wishlists through forged requests. The impact is contingent upon successfully tricking a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

A patch has been released in version 1.2.27 of the Flexible Wishlist for WooCommerce plugin. Users are advised to update to this latest version to mitigate the vulnerability (WordPress Patch).