50,000 websites affected by HTML injection vulnerability
On December 12, 2025, a vulnerability report on Wordfence.com based on research by Open Roads, responsibly informed the WordPress community on a combination of vulnerabilities in TI WooCommerce Wishlist, a WordPress plugin with more than 50,000 estimated active installations. This vulnerability makes it possible for unauthenticated visitors of a website to modify wishlist items and inject arbitrary HTML content into any publicly shared wishlist by exploiting an Insecure Direct Object Reference in the handling of the tinv_wishlistkey cookie. The plugin accepts this cookie as proof of ownership without performing proper authorization checks. As a result, unauthorized users can modify the content of shared wishlists they do not own. The vulnerability allows attackers to submit arbitrary HTML through the form[] metadata array, leading to stored HTML injection across user-visible content.
WordPress security researcher Pim Schaaf contacted creator of the TI WooCommerce Wishlist plugin, templateinvaders, on multiple occasions in an effort to fully disclose these findings to the team, without any response over a period of more than two weeks. Subsequently, the report was escalated to Wordfence.
The CVSS rating for this vulnerability is medium (5.3).
See the original vulnerability disclosure on Wordfence.com©.
Technical Analysis
TI WooCommerce Wishlist is a WordPress plugin, extending WooCommerce to allow users to save their favorite products for later, increasing the likelihood of return visits and purchases. The wishlist feature is advertised as easy to use and encouraging customers to buy more products than they initially planned. The ability to share wishlists is said to attract new potential customers and increase a site’s visibility.
Wishlists created through this plugin get a generated unique key, which identifies a wishlist and is disclosed in a shareable wishlist URL. Ownership of a wishlist is verified by comparing the key with the contents of a cookie called tinv_wishlistkey, which is set in the owner’s browser. Changing or adding a cookie to match the key in a TI WooCommerce Wishlist share URL allows unauthenticated attackers to change the contents of the wishlist identified by that key, including adding, removing and – most importantly – modifying wishlist items.
Further examination of the plugin revealed that metadata can be stored with wishlist items, which is subsequently displayed on the wishlist, leading to unauthenticated HTML Injection across user visible content.
Minimal proof of concept
The following curl command and screenshot show that setting the tinv_wishlistkey to match a user’s shared wishlist key, combined with metadata stored in the form[] parameter allow modification of users’ wishlists and HTML to be stored with products to users’ shared wishlist.
curl --location 'http://wordpress.localhost/shop/' \
--header 'Host: wordpress.localhost' \
--header 'Content-Type: multipart/form-data; boundary=----geckoformboundaryd1b48c9c01d6501d2b85b39b92bb1cf' \
--header 'Cookie: tinv_wishlistkey=70353c' \
--form 'tinv_wishlist_id=""' \
--form 'product_type="simple"' \
--form 'product_id="15"' \
--form 'product_variation="0"' \
--form 'product_action="addto"' \
--form 'form[malicious_link]=<a href="https://example.org">Malicious link</a>'
XSS vulnerabilities are limited due to usage of sanitize_html_class() and wp_kses_post() for the metadata display in templates/ti-wishlist-item-data.php. However, as user’s own lists may be expected to be a safe resource on a trusted URL, elevated risks can be presumed for phishing attacks through this vulnerability.
Disclosure timeline
13th May 2025: Reached out to [email protected] (no response)
20th May 2025: Reminded creator on [email protected] (no response)
30th May 2025: Disclosed vulnerability through WPScans vulnerability submission form (denied)
18th August 2025: Disclosed vulnerability through Wordfence Intelligence
19th August 2025: Report validated by Wordfence Intelligence and CVE-2025-9207 assigned
19th November 2025: Plugin creators release version 2.11.1 which prevents share_key access to authenticated-user wishlists and strips HTML from item meta
12th December 2025: TI WooCommerce Wishlist <= 2.10.0 – Unauthenticated HTML Injection with CVE-2025-9207 published in the Wordfence Intelligence Vulnerability database
Conclusion
In this blog post, we detailed an HTML Injection vulnerability within the TI WooCommerce Wishlist plugin affecting versions 2.10.0 and earlier. This vulnerability allows unauthenticated threat actors, with minimal permissions, to store malicious HTML on the server.
We encourage WordPress users to verify that their sites are updated to the latest patched version of TI WooCommerce Wishlist as soon as possible.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure.