CVE-2025-5238: 
WordPress vulnerability analysis and mitigation

The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in versions up to and including 4.5.0. The vulnerability was discovered and disclosed on June 13, 2025, and has been patched in version 4.6.0. This security issue affects the plugin's wishlist functionality (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping of the 'id' parameter in the plugin. The issue has been classified as CWE-79: Improper Neutralization of Input During Web Page Generation. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages that will execute whenever a user accesses an affected page. This can lead to potential client-side attacks, including theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (Wiz).

Users are advised to update to version 4.6.0 or later of the YITH WooCommerce Wishlist plugin, which contains the security fix for this vulnerability. The update was released on June 12, 2025, and includes patches for the identified security issue along with support for WooCommerce 9.9 (WordPress Plugin).