Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TI WooCommerce Wishlist plugin contains a stored cross‑site scripting flaw that arises from improper neutralization of user input during page generation. Malicious JavaScript can be persisted in the wishlist’s data and will execute in the browsers of users who view the affected wishlist entry. The CVE description provides only this broad statement of stored XSS with no additional operational details.

Affected Systems

All installations of the TI WooCommerce Wishlist plugin from its first release through version 2.10.0 are vulnerable. The issue applies to any WordPress site that has the plugin enabled, regardless of the specific WooCommerce or WordPress versions.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate level of risk. The EPSS score of less than 1 % suggests that exploitation is unlikely, although not impossible; attackers might target high‑traffic stores that use the plugin. The vulnerability is not listed in CISA KEV, and no public exploit is documented. The likely attack vector involves an attacker who can supply content to the wishlist; the injected data is stored and later rendered when other users view the wishlist, causing script execution in their browsers.

Generated by OpenCVE AI on May 2, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TI WooCommerce Wishlist plugin to the most recent release that removes the XSS bug.
  • Search the database for wishlist entries that may contain injected script and clean or delete them.
  • Review all plugin and theme code that accepts user input for output to pages and enforce proper input validation and output encoding to prevent similar issues.

Generated by OpenCVE AI on May 2, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15720 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through 2.10.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 17 Jun 2025 09:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through 2.10.0.
Title WordPress TI WooCommerce Wishlist plugin <= 2.9.2 - Cross Site Scripting (XSS) vulnerability WordPress TI WooCommerce Wishlist plugin <= 2.10.0 - Cross Site Scripting (XSS) vulnerability

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Stored XSS.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2.
Title WordPress TI WooCommerce Wishlist plugin <= 2.9.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.025Z

Reserved: 2025-04-14T11:30:45.182Z

Link: CVE-2025-32920

cve-icon Vulnrichment

Updated: 2025-05-19T16:42:10.658Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T16:15:29.363

Modified: 2026-04-23T15:29:22.060

Link: CVE-2025-32920

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses