The TI WooCommerce Wishlist plugin for WordPress contains an input‑validation flaw that allows attackers to inject arbitrary HTML into wishlist items. The plugin accepts hidden fields without restricting their content or performing proper filtering before output. This flaw does not require authentication; any user who can submit data to the wishlist can craft malicious payloads. The vulnerability can lead to client‑side code execution, credential theft, or defacement, impacting confidentiality, integrity and availability of the site’s front end.

The issue affects the TemplateInvaders TI WooCommerce Wishlist plugin for WordPress, versions 2.10.0 and earlier. Users deploying these editions on any WordPress installation are at risk. No other products are mentioned.

The CVSS score of 5.3 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests a low exploitation probability in the current threat landscape, and the vulnerability is not listed in CISA’s KEV catalog. Because the attack can be launched without authentication, an adversary could target any public site using the affected plugin. However, successful exploitation requires the injection of attacker‑controlled HTML into a visible page, which may be constrained by site‑level restrictions or client‑side filtering. The primary risk is cross‑site scripting rather than remote code execution.