Cybersecurity researchers have revealed a serious unpatched security vulnerability in the TI WooCommerce Wishlist plugin for WordPress, which could be exploited by unauthorized attackers to upload arbitrary files. This plugin, which has more than 100,000 active installations, allows e-commerce customers to save their favorite products for later and share their lists on social media.
The critical flaw, identified as CVE-2025-47577, has a CVSS score of 10.0 and affects all versions of the plugin up to and including 2.9.2, released on November 29, 2024. A patch has not yet been provided to address the issue.
The vulnerability is tied to a function called tinvwl_upload_file_wc_fields_factory that, when invoked, uses a native WordPress function, wp_handle_upload, to perform file validation. However, the overrides for the parameters test_form and test_type are set to false, allowing the expected file type validation to be easily bypassed. As a result, attackers can upload files of any type, which could lead to severe security breaches.
Exploitation of this vulnerability requires the WC Fields Factory plugin to be active alongside the TI WooCommerce Wishlist plugin. If an attacker successfully exploits this flaw, they could upload a malicious PHP file, potentially gaining remote code execution (RCE) capabilities by accessing the uploaded file directly.
In response to the risk posed by this vulnerability, developers of the plugin are urged to revise their approach by avoiding the setting of test_type to false when using the wp_handle_upload() function. For users currently utilizing this plugin, the best course of action is to deactivate and remove it from their websites until a suitable patch is available.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.