HTML Injection Vulnerability in TI WooCommerce Wishlist Plugin for WordPress
CVE-2025-9207

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Ti WooCommerce Wishlist
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-9207?

The TI WooCommerce Wishlist plugin for WordPress allows unauthenticated attackers to exploit an HTML Injection vulnerability present in all versions up to and including 2.10.0. This issue arises from the plugin's failure to properly validate and sanitize input from hidden fields, enabling malicious users to inject arbitrary HTML code into wishlist items. As a result, potential security risks such as cross-site scripting (XSS) can occur, compromising the integrity of the application and the safety of its users.

Affected Version(s)

TI WooCommerce Wishlist * <= 2.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ti-woocommerce...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Aug 19, 2025

Credit

Pim Schaaf

JSON