Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee Wishlist for WooCommerce wt-woocommerce-wishlist allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 2.1.2.
Published: 2025-01-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the WebToffee Wishlist for WooCommerce plugin. The description states that malicious JavaScript can be placed into wishlist data that is rendered unescaped. Based on this, it is inferred that the payload could be executed whenever a user views a page that displays wishlist items, potentially compromising confidentiality, integrity or availability. The weakness is classified as CWE‑79.

Affected Systems

Affected systems are WordPress installations that have the WebToffee Wishlist for WooCommerce plugin version ≤ 2.1.2. The plugin allows users to add or edit wishlist items; based on this, sites where customers or administrators can modify wishlist entries could be used to inject malicious input.

Risk and Exploitability

Against the available data the CVSS score is 5.9, indicating a moderate severity, and the EPSS score is < 1 %, showing a limited probability of exploitation. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is a web user visiting a wishlist page that contains the injected payload; the vulnerability would typically be exploitable by anyone with the ability to create or edit wishlist entries.

Generated by OpenCVE AI on May 2, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WebToffee Wishlist for WooCommerce version 2.1.3 or later
  • If an immediate upgrade is not possible, remove or sanitize any wishlist entries that contain untrusted input
  • Implement a web application firewall rule that blocks common XSS payloads targeting wishlist functionality

Generated by OpenCVE AI on May 2, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3852 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee Wishlist for WooCommerce allows Stored XSS. This issue affects Wishlist for WooCommerce: from n/a through 2.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee Wishlist for WooCommerce allows Stored XSS. This issue affects Wishlist for WooCommerce: from n/a through 2.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee Wishlist for WooCommerce wt-woocommerce-wishlist allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 2.1.2.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee Wishlist for WooCommerce allows Stored XSS. This issue affects Wishlist for WooCommerce: from n/a through 2.1.2.
Title WordPress Wishlist for WooCommerce plugin <=2.1.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:31.311Z

Reserved: 2025-01-23T14:51:49.212Z

Link: CVE-2025-24657

cve-icon Vulnrichment

Updated: 2025-01-24T18:46:33.912Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:39.680

Modified: 2026-06-17T08:59:23.497

Link: CVE-2025-24657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:30:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')