CVE-2025-9207 identifies an HTML Injection vulnerability in the TI WooCommerce Wishlist plugin for WordPress, present in all versions up to and including 2.10.0. The root cause is improper input validation (CWE-20), where the plugin accepts hidden form fields without limiting or sanitizing their values before outputting them in wishlist items. This flaw allows unauthenticated remote attackers to inject arbitrary HTML code into the wishlist content. Because the injected HTML is rendered in the context of the affected website, attackers could manipulate page content, insert malicious scripts indirectly (though not directly classified as XSS), or deface wishlist displays. The vulnerability does not require any privileges or user interaction, making it easier to exploit. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, no user interaction, and limited impact confined to integrity without affecting confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of publication. This vulnerability impacts any WordPress site using the TI WooCommerce Wishlist plugin, which is widely used in e-commerce environments to enhance user shopping experience by allowing customers to save products for later. The lack of input validation on hidden fields is a common security oversight that can be leveraged for content injection attacks, potentially undermining the trustworthiness of the website and opening avenues for further client-side attacks if combined with other vulnerabilities.

The primary impact of this vulnerability is on data integrity, as attackers can inject arbitrary HTML into wishlist items, potentially altering the appearance or content of the site. This can lead to defacement or misleading information being displayed to users, damaging brand reputation and user trust. While the vulnerability does not directly compromise confidentiality or availability, the injected HTML could be used as a vector for social engineering or phishing attacks by embedding deceptive content. Additionally, if combined with other vulnerabilities, it might facilitate cross-site scripting (XSS) or session hijacking attacks, increasing the overall risk. For e-commerce sites relying on the TI WooCommerce Wishlist plugin, this could result in customer distrust, loss of sales, and potential regulatory scrutiny if user data or experience is compromised. Since exploitation requires no authentication and no user interaction, the attack surface is broad, allowing remote attackers to target any vulnerable site. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks once the vulnerability details become widely known.

To mitigate this vulnerability, organizations should first check for updates or patches from the plugin vendor, TemplateInvaders, and apply them promptly once available. In the absence of an official patch, site administrators should implement strict input validation and sanitization on all user-supplied data, especially hidden fields in wishlist forms. Utilizing WordPress security plugins that enforce content filtering or HTML sanitization can help reduce risk. Disabling or restricting the use of hidden fields in wishlist submissions until a fix is applied can also mitigate exploitation. Web Application Firewalls (WAFs) should be configured to detect and block suspicious HTML injection attempts targeting the wishlist functionality. Regular security audits and code reviews of customizations involving the wishlist plugin can identify and remediate unsafe input handling. Additionally, monitoring website content for unexpected changes or injected HTML can provide early detection of exploitation attempts. Educating development and content teams about secure coding practices related to input validation is essential to prevent similar issues in the future.