Cybersecurity researchers have recently revealed a critical, unpatched security flaw in the popular TI WooCommerce Wishlist plugin for WordPress. The vulnerability allows unauthenticated attackers to upload arbitrary files, posing a serious risk of remote code execution (RCE).
The TI WooCommerce Wishlist plugin, which boasts over 100,000 active installations, enables e-commerce customers to save their favorite products and share their wishlists on social media platforms. John Castro, a security researcher at Patchstack, confirmed that the vulnerability is an arbitrary file upload flaw exploitable without any authentication.
Identified as CVE-2025-47577 and assigned a maximum CVSS score of 10.0, the flaw affects all versions up to and including the latest 2.9.2 release from November 29, 2024. No official patch has been released to date.
The root cause lies in a plugin function named “tinvwl_upload_file_wc_fields_factory,” which calls the native WordPress function wp_handle_upload with critical parameters “test_form” and “test_type” set to false. This misconfiguration bypasses the MIME type validation for uploaded files, allowing any file type to be uploaded.
Successful exploitation requires that the WC Fields Factory plugin be installed and activated on the WordPress site, with integration enabled between it and the TI WooCommerce Wishlist plugin.
In a typical attack scenario, malicious PHP files can be uploaded and accessed directly, enabling attackers to execute code remotely on the targeted website, posing a significant security threat.
Security experts recommend plugin developers avoid or remove the practice of setting “test_type” to false when using wp_handle_upload. Given the absence of a patch, users are strongly advised to deactivate and uninstall the plugin immediately to mitigate potential risks.
Related Topics
- Why Is WordPress Multisite Ideal for Managing Multiple Brands?
- WordPress Wishlist Plugin Vulnerability Affects 100,000+ Sites
- Survey of 140,000 Websites Reveals the Most Popular WordPress Plugins
