CVE-2025-67929 identifies a missing authorization vulnerability in the TI WooCommerce Wishlist plugin developed by templateinvaders, affecting all versions up to and including 2.10.0. The vulnerability arises from incorrectly configured access control security levels within the plugin, which is designed to enhance WooCommerce by allowing customers to create and manage wishlists. Due to this misconfiguration, unauthorized users may bypass intended authorization checks, potentially gaining access to restricted wishlist functionalities or data. This could include viewing, modifying, or deleting wishlist entries without proper permissions. The issue does not require user interaction or authentication in some scenarios, increasing its exploitability. Although no CVSS score has been assigned and no active exploits have been reported, the flaw presents a significant risk to the confidentiality and integrity of user data managed by the plugin. TI WooCommerce Wishlist is widely used in WordPress e-commerce sites, making the attack surface substantial. The vulnerability was published on December 16, 2025, and is tracked by Patchstack. No official patches or fixes have been linked yet, emphasizing the need for vigilance and proactive mitigation by site administrators.

For European organizations, especially those operating e-commerce platforms using WordPress and WooCommerce, this vulnerability poses a considerable threat. Exploitation could lead to unauthorized access to customer wishlist data, potentially exposing sensitive user preferences and behavioral information. This breach of confidentiality can damage customer trust and violate data protection regulations such as GDPR. Additionally, unauthorized modification or deletion of wishlist data can impact data integrity and disrupt user experience, potentially leading to financial losses and reputational harm. Since the plugin is popular among small to medium-sized enterprises across Europe, the scope of affected systems is broad. The ease of exploitation without authentication in some cases increases the risk of automated or targeted attacks. Furthermore, compromised e-commerce sites may serve as entry points for further attacks, including privilege escalation or data exfiltration. The lack of current known exploits provides a window for mitigation but also calls for urgent action to prevent future exploitation.

Organizations should immediately inventory their WordPress installations to identify the use of the TI WooCommerce Wishlist plugin and verify the version in use. Until an official patch is released, administrators should consider temporarily disabling the plugin or restricting its access via web application firewalls (WAFs) or access control lists (ACLs). Review and harden access control configurations related to wishlist functionalities, ensuring that only authenticated and authorized users can perform sensitive actions. Monitor logs for unusual access patterns or unauthorized attempts to interact with wishlist endpoints. Stay informed through vendor announcements and security advisories for the release of patches or updates addressing this vulnerability. Additionally, implement a robust backup strategy to recover from potential data tampering. For long-term security, consider employing security plugins that enforce strict authorization checks and conduct regular security audits of all e-commerce plugins. Educate development and IT teams about the risks associated with plugin vulnerabilities and the importance of timely updates.