CVE-2025-9207
📋 TL;DR
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML injection, allowing unauthenticated attackers to inject arbitrary HTML into wishlist items. This occurs because the plugin doesn't properly validate or sanitize hidden field inputs before outputting them. All WordPress sites using this plugin up to version 2.10.0 are affected.
💻 Affected Systems
- TI WooCommerce Wishlist WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform cross-site request forgery attacks against logged-in users.
Likely Case
Attackers inject HTML that creates misleading content, defaces wishlist pages, or redirects users to malicious sites.
If Mitigated
With proper input validation and output escaping, only safe HTML would be rendered, preventing any malicious injection.
🎯 Exploit Status
HTML injection vulnerabilities are typically easy to exploit with basic web knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.1
Vendor Advisory: https://wordpress.org/plugins/ti-woocommerce-wishlist/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'TI WooCommerce Wishlist' and click 'Update Now'. 4. Verify version shows 2.10.1 or higher.
🔧 Temporary Workarounds
Disable Wishlist Functionality
allTemporarily disable the TI WooCommerce Wishlist plugin until patched.
wp plugin deactivate ti-woocommerce-wishlist
Implement WAF Rules
allAdd web application firewall rules to block HTML injection attempts in wishlist parameters.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Use a web application firewall to monitor and block suspicious wishlist submissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for TI WooCommerce Wishlist version. If version is 2.10.0 or lower, you are vulnerable.Check Version:
wp plugin get ti-woocommerce-wishlist --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 2.10.1 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wishlist endpoints with HTML/script content
- Multiple failed wishlist submissions with suspicious payloads
Network Indicators:
- HTTP requests containing HTML tags in wishlist-related parameters
- Unusual traffic patterns to wishlist endpoints
SIEM Query:
source="wordpress.log" AND ("ti-woocommerce-wishlist" OR "wishlist") AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=")🔗 References
- https://plugins.trac.wordpress.org/browser/ti-woocommerce-wishlist/trunk/includes/wishlist.class.php#L326
- https://plugins.trac.wordpress.org/browser/ti-woocommerce-wishlist/trunk/includes/wishlist.class.php#L544
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399224%40ti-woocommerce-wishlist&new=3399224%40ti-woocommerce-wishlist&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8d08d381-d0ef-4f40-975d-51e919a7c872?source=cve
