A serious security flaw has been discovered in the TI WooCommerce Wishlist plugin, a widely used WordPress extension with over 100,000 active installations. This vulnerability poses significant risks to WooCommerce store owners who rely on the plugin to add wishlist features to their online shops.
The TI WooCommerce Wishlist plugin is commonly integrated with other tools, such as the WC Fields Factory plugin, to enhance form customization. However, versions up to and including the current release 2.9.2 suffer from an unauthenticated arbitrary file upload vulnerability (CVE-2025-47577), which threatens the security of all affected websites.
Due to the absence of an available patch, security experts strongly recommend that users immediately deactivate and uninstall the plugin to protect their systems.
Details of the Vulnerability
The flaw stems from a critical oversight in the plugin’s file upload handling. Normally, WordPress enforces strict file type validation to prevent malicious uploads.
Unfortunately, this protection is disabled by the plugin, effectively allowing attackers to upload any file type, including executable scripts. Such files can be accessed directly on the server, enabling remote code execution (RCE) attacks.
Technical Analysis and Scope
Exploitation of the vulnerability requires the WC Fields Factory plugin to be active, which somewhat narrows the attack surface. Nonetheless, a large number of sites remain vulnerable. Attackers can exploit this flaw without any authentication, uploading malicious code to compromise servers, steal sensitive data, or disrupt website operations.
The lack of an official patch has intensified concerns, as the only immediate mitigation is complete removal of the plugin.
Current Protections and Recommendations
Users of Patchstack’s paid security services are currently protected against this vulnerability through existing safeguards, available upon registering a free community account. For as little as $5 per site monthly, these users can access temporary protection until an official fix is released.
Plugin developers and hosting providers are encouraged to utilize Patchstack’s security audit services and enterprise API to bolster defenses at scale.
Meanwhile, the broader WordPress community awaits an official update from the TI WooCommerce Wishlist development team to restore security without compromising functionality.
Until a patch is released, the unequivocal advice remains to disable and uninstall the plugin to prevent potential cyberattacks.
Broader Implications
This incident highlights the critical importance of rigorous security practices in plugin development. It serves as a cautionary tale about the risks of bypassing WordPress’s default file validation measures—one misconfiguration can jeopardize thousands of websites.
As cyber threats continue to evolve in the digital landscape, online store owners must prioritize security over convenience to safeguard their operations.
Updates will be provided promptly once a patched version becomes available, enabling users to safely reinstate wishlist features.
Related Topics
- Crawlomatic Plugin Updated to Fix Critical RCE Flaw
- Motors WordPress Theme Has Critical Admin Takeover Vulnerability
- Beginner’s Guide: How Do You Set Up a WordPress Staging Site?
