CRITICAL SECURITY ALERT: 100,000+ WooCommerce Sites at Risk - Take Action Now
CRITICAL VULNERABILITY

TI WooCommerce Wishlist Plugin: Critical File Upload Vulnerability (CVE-2025-47577)

100,000+ WordPress sites vulnerable to remote code execution attacks. No patch available.

Vulnerability Details

CVE ID: CVE-2025-47577
CVSS Score: 10.0 CRITICAL
Authentication: None Required
Patch Available: No

Impact Assessment

Affected Sites: 100,000+
Attack Vector: Remote
Potential Impact: Complete Site Takeover
Affected Versions: ≤ 2.9.2

Executive Summary

Cybersecurity researchers have disclosed a critical unpatched security flaw impacting the TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.

TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social media platforms.

Technical Analysis

"The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication," Patchstack researcher John Castro said.

Tracked as CVE-2025-47577, the vulnerability carries a CVSS score of 10.0. It affects all versions of the plugin below and including 2.9.2 released on November 29, 2024. There is currently no patch available.

Root Cause Analysis

The website security company said the issue lies in a function named "tinvwl_upload_file_wc_fields_factory," which, in turn, uses another native WordPress function "wp_handle_upload" to perform the validation, but sets the override parameters "test_form" and "test_type" to "false".

test_type Parameter

Used to check whether the Multipurpose Internet Mail Extension (MIME) type of the file is as expected

test_form Parameter

Used to verify if the $_POST['action'] parameter is as expected

Critical Flaw

In setting "test_type" to false, it allows the file type validation to be effectively bypassed, thereby allowing any file type to be uploaded.

Attack Prerequisites & Scenario

Required Conditions for Exploitation

The vulnerable function is accessible via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, which are only available when the WC Fields Factory plugin is active.

WC Fields Factory plugin installed and activated
Integration enabled on TI WooCommerce Wishlist plugin
No authentication required

Hypothetical Attack Scenario

In a hypothetical attack scenario, a threat actor could upload a malicious PHP file and achieve remote code execution (RCE) by directly accessing the uploaded file. This would give attackers complete control over the affected WordPress site.

Immediate Actions Required

For Site Owners

Deactivate and delete TI WooCommerce Wishlist plugin immediately
Scan your site for any recently uploaded suspicious files
Monitor server logs for unusual activity

For Developers

Remove or avoid setting 'test_type' => false when using wp_handle_upload()
Implement proper file type validation
Add authentication checks for file upload functions

Protect Your WooCommerce Store Today

Don't wait for the next vulnerability to impact your business. Get a comprehensive security assessment now.

Schedule Security Consultation

Related Security Resources

WooCommerce Security Misconfigurations

Complete guide to securing your WooCommerce store

WordPress Two-Factor Authentication Setup

Step-by-step 2FA implementation guide