CVE-2025-9207: CWE-20 Improper Input Validation in templateinvaders TI WooCommerce Wishlist
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.
AI Analysis
Technical Summary
CVE-2025-9207 is an HTML Injection vulnerability in the TI WooCommerce Wishlist WordPress plugin (up to version 2.10.0). The issue arises from improper input validation of hidden fields, enabling unauthenticated attackers to inject arbitrary HTML content into wishlist items. This vulnerability is classified under CWE-20 and has a CVSS 3.1 score of 5.3 (medium severity). No patch or official fix has been documented in the provided data, and the plugin is not a cloud service, so remediation depends on vendor updates.
Potential Impact
An attacker can inject arbitrary HTML into wishlist items without authentication, potentially leading to content manipulation or UI spoofing. The CVSS vector indicates no confidentiality or availability impact, but there is an integrity impact due to the injection of unauthorized HTML. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling or limiting the use of the TI WooCommerce Wishlist plugin to reduce exposure. Monitor official vendor channels for updates or patches addressing this vulnerability.
CVE-2025-9207: CWE-20 Improper Input Validation in templateinvaders TI WooCommerce Wishlist
Description
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-9207 is an HTML Injection vulnerability in the TI WooCommerce Wishlist WordPress plugin (up to version 2.10.0). The issue arises from improper input validation of hidden fields, enabling unauthenticated attackers to inject arbitrary HTML content into wishlist items. This vulnerability is classified under CWE-20 and has a CVSS 3.1 score of 5.3 (medium severity). No patch or official fix has been documented in the provided data, and the plugin is not a cloud service, so remediation depends on vendor updates.
Potential Impact
An attacker can inject arbitrary HTML into wishlist items without authentication, potentially leading to content manipulation or UI spoofing. The CVSS vector indicates no confidentiality or availability impact, but there is an integrity impact due to the injection of unauthorized HTML. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling or limiting the use of the TI WooCommerce Wishlist plugin to reduce exposure. Monitor official vendor channels for updates or patches addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-08-19T18:35:49.896Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 693d169bdd056aa40b718096
Added to database: 12/13/2025, 7:32:43 AM
Last enriched: 4/9/2026, 6:10:21 PM
Last updated: 5/6/2026, 6:58:27 AM
Views: 218
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.