CVE-2025-32920

Vulnerability

Overview

The TI WooCommerce Wishlist plugin for WordPress versions up to and including 2.10.0 contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code that persists in the application.

Exploitation

Exploitation requires a privileged user (such as an administrator) to perform an action, like clicking a malicious link or visiting a crafted page, which triggers the injection [1]. Once stored, the malicious payload executes when other users, including visitors, access the affected page or functionality.

Impact

A successful attack can lead to the execution of malicious scripts in the browsers of site visitors, enabling redirection to malicious sites, display of unwanted advertisements, or other harmful HTML payloads [1]. This can compromise the user experience and potentially lead to further attacks.

Mitigation

The vulnerability has been addressed in version 2.11.0 of the plugin [1]. Users are strongly advised to update to this version or later. For those unable to update immediately, consulting a hosting provider or web developer is recommended [1].