Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69334

CVE-2025-69334: WooCommerce Wishlist Plugin XSS Flaw

CVE-2025-69334 is a stored cross-site scripting vulnerability in WPFactory Wishlist for WooCommerce plugin that allows attackers to inject malicious scripts. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-69334 Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WPFactory Wishlist for WooCommerce WordPress plugin. This vulnerability stems from improper neutralization of user input during web page generation, allowing attackers with low-level privileges to inject malicious scripts that persist in the application and execute in the browsers of other users who view affected pages.

Critical Impact

Authenticated attackers can inject persistent malicious scripts that execute in victim browsers, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of legitimate users.

Affected Products

  • WPFactory Wishlist for WooCommerce plugin version 3.3.0 and earlier
  • WordPress installations using the wish-list-for-woocommerce plugin
  • WooCommerce stores with wishlist functionality enabled

Discovery Timeline

  • 2026-01-06 - CVE CVE-2025-69334 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-69334

Vulnerability Analysis

This Stored XSS vulnerability (CWE-79) in the Wishlist for WooCommerce plugin allows attackers to inject malicious JavaScript code that persists within the application database. Unlike reflected XSS attacks that require victims to click malicious links, stored XSS payloads are automatically executed when users view pages containing the compromised content.

The vulnerability requires the attacker to have low-level authentication (such as a subscriber or customer account) and relies on user interaction where a victim must view the page containing the malicious payload. The scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component, affecting the confidentiality, integrity, and availability of the broader WordPress environment.

Root Cause

The vulnerability originates from insufficient input sanitization and output encoding within the wishlist functionality. User-supplied input is not properly neutralized before being stored in the database and subsequently rendered on web pages. This allows specially crafted input containing JavaScript code to bypass security controls and execute in the context of other users' browser sessions.

Attack Vector

The attack leverages the network-accessible wishlist features of the WooCommerce plugin. An authenticated attacker with minimal privileges can inject malicious scripts through wishlist-related input fields. When other users—including administrators—view pages displaying wishlist content, the injected script executes within their browser session.

The stored nature of this XSS variant makes it particularly dangerous as the payload persists across multiple page loads and can affect numerous victims without requiring individual social engineering attacks. Successful exploitation could enable attackers to steal session cookies, capture credentials, redirect users to malicious sites, or perform actions on behalf of authenticated administrators.

Detection Methods for CVE-2025-69334

Indicators of Compromise

  • Unusual JavaScript code or HTML tags stored in wishlist-related database tables
  • Unexpected <script> tags or event handlers (e.g., onerror, onload) in wishlist item names or descriptions
  • Reports of unexpected browser behavior or pop-ups when viewing wishlist pages
  • Suspicious account activity following visits to wishlist-related pages

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect XSS patterns in wishlist-related requests
  • Review WordPress database entries in wishlist tables for suspicious HTML or JavaScript content
  • Monitor server access logs for requests containing encoded script tags targeting wishlist endpoints
  • Deploy Content Security Policy (CSP) headers to detect and block inline script execution

Monitoring Recommendations

  • Enable logging for all wishlist-related user actions and content submissions
  • Configure alerts for failed CSP violations that may indicate XSS attempts
  • Monitor for unusual patterns of wishlist creation or modification by low-privilege accounts
  • Review WordPress admin activity logs for unauthorized administrative actions

How to Mitigate CVE-2025-69334

Immediate Actions Required

  • Update the Wishlist for WooCommerce plugin to the latest patched version immediately
  • Audit existing wishlist entries in the database for malicious content
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact
  • Consider temporarily disabling the wishlist functionality until the update is applied
  • Review user accounts for any suspicious activity that may indicate exploitation

Patch Information

Organizations should update to a version of the Wishlist for WooCommerce plugin newer than 3.3.0 as soon as a patched release becomes available. Refer to the Patchstack WordPress Vulnerability Advisory for the latest patch information and update guidance.

Workarounds

  • Implement strict input validation and output encoding at the server level using security plugins
  • Deploy a Web Application Firewall with XSS protection rules enabled
  • Restrict wishlist creation to trusted user roles if business requirements permit
  • Add Content Security Policy headers to prevent inline script execution
bash
# Add CSP header in Apache .htaccess to mitigate XSS impact
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"

# Or in Nginx configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.