CVE-2025-9207 MEDIUM

CVE-2025-9207: TI WooCommerce Wishlist <= 2.10.0 - Unauthenticated HTML Injection

Vendor Templateinvaders

Product TI WooCommerce Wishlist

Weakness CWE-20 · Input validation

Published December 13, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.

Key dates

02Disclosure timeline

December 13, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-9207

Related vulnerabilities

CVE-2025-9207: TI WooCommerce Wishlist <= 2.10.0 - Unauthenticated HTML Injection

01Description

02Disclosure timeline

03References

04Related CVE