WordPress Plugin Vulnerabilities

TI WooCommerce Wishlist < 2.11.0 - Unauthenticated HTML Injection

Description

The plugin is vulnerable to HTML Injection due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.

Affects Plugins

Plugin icon
ti-woocommerce-wishlist
Fixed in 2.11.0

References

CVE
CVE-2025-9207
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8d08d381-d0ef-4f40-975d-51e919a7c872

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
pimschaaf
Verified
No
WPVDB ID
d9655f72-d7b6-45e2-b53d-508099eaa38d

Timeline

Publicly Published
2025-12-12 (about 5 months ago)
Added
2025-12-12 (about 5 months ago)
Last Updated
2025-12-12 (about 5 months ago)

Other

Published
Title
Published
2024-02-20
Title
Tutor LMS < 2.6.1 - Student+ HTML Injection via Q&A
Published
2023-11-07
Title
Foyer <= 1.7.5 - Content Injection via Improper Access Control
Published
2023-10-11
Title
Responsive Tabs < 4.0.6 - Authenticated (Contributor+) Content Injection
Published
2026-04-06
Title
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More < 1.8.10 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook
Published
2024-06-03
Title
Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update