Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2025-67929: Missing Authorization in templateinvaders TI WooCommerce Wishlist

0
Medium
VulnerabilityCVE-2025-67929cvecve-2025-67929
Published: Tue Dec 16 2025 (12/16/2025, 08:12:57 UTC)
Source: CVE Database V5
Vendor/Project: templateinvaders
Product: TI WooCommerce Wishlist

Description

Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.

AI-Powered Analysis

AILast updated: 01/21/2026, 01:11:57 UTC

Technical Analysis

CVE-2025-67929 identifies a missing authorization vulnerability in the TI WooCommerce Wishlist plugin developed by templateinvaders, affecting all versions up to and including 2.10.0. This vulnerability arises from incorrectly configured access control security levels, allowing users with limited privileges (PR:L) to perform unauthorized actions within the plugin's functionality. The attack vector is local (AV:L), meaning the attacker must have some level of authenticated access to the system or application environment, but no user interaction (UI:N) is required to exploit the flaw. The vulnerability impacts the confidentiality, integrity, and availability of the affected system, though to a limited degree (C:L/I:L/A:L). Specifically, an attacker could potentially access or modify wishlist data or related user information without proper authorization, possibly leading to data leakage or unauthorized changes that could disrupt normal e-commerce operations. The scope is unchanged (S:U), indicating the exploit affects only the vulnerable component without extending to other system components. No public exploits have been reported yet, and no patches are currently linked, suggesting that organizations should monitor for updates from the vendor. The vulnerability is particularly relevant for WooCommerce-based e-commerce websites that use the TI WooCommerce Wishlist plugin, which is popular among online retailers for wishlist functionality. Given the nature of the vulnerability, attackers with some authenticated access could leverage this flaw to escalate privileges or manipulate user data, potentially undermining customer trust and business operations.

Potential Impact

For European organizations, the impact of CVE-2025-67929 could include unauthorized access to customer wishlist data, leading to potential privacy violations under GDPR. Integrity of wishlist and related user data could be compromised, affecting customer experience and trust. Availability impacts, while limited, could disrupt e-commerce operations if attackers modify or delete wishlist information. Given the medium severity and requirement for some privilege level, the risk is higher for organizations with many user roles or where privilege separation is weak. Retailers relying heavily on WooCommerce and the TI WooCommerce Wishlist plugin could face reputational damage and regulatory scrutiny if customer data is exposed or manipulated. The vulnerability could also be leveraged as a stepping stone for further attacks within the e-commerce platform, increasing overall risk. European e-commerce sectors, especially in countries with large online retail markets, could see targeted exploitation attempts once public exploits emerge.

Mitigation Recommendations

Organizations should immediately inventory their WooCommerce installations to identify if the TI WooCommerce Wishlist plugin version 2.10.0 or earlier is in use. Until a patch is released, restrict access to the plugin’s administrative and wishlist management interfaces to trusted users only, employing role-based access controls to minimize privilege exposure. Implement monitoring and alerting for unusual activity related to wishlist data modifications or access patterns. Regularly audit user permissions to ensure least privilege principles are enforced. Consider disabling the wishlist functionality temporarily if it is not critical to business operations. Stay informed on vendor advisories and apply patches promptly once available. Additionally, web application firewalls (WAFs) can be tuned to detect and block suspicious requests targeting wishlist endpoints. Conduct security awareness training for administrators to recognize potential exploitation signs. Finally, ensure that backup and recovery procedures are robust to restore data integrity if unauthorized changes occur.

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Data Version
5.2
Assigner Short Name
Patchstack
Date Reserved
2025-12-15T09:59:55.700Z
Cvss Version
null
State
PUBLISHED

Threat ID: 69411753594e45819d70ccbe

Added to database: 12/16/2025, 8:24:51 AM

Last enriched: 1/21/2026, 1:11:57 AM

Last updated: 2/4/2026, 3:33:52 AM

Views: 83

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats