Unpatched Vulnerability in TI WooCommerce Wishlist Plugin Poses Severe Security Risk

Cybersecurity researchers have identified a critical unpatched vulnerability in the popular TI WooCommerce Wishlist plugin for WordPress, which could allow unauthenticated attackers to upload arbitrary files to affected websites. With over 100,000 active installations, this plugin is widely used by e-commerce websites to let customers save and share their favorite products.

The flaw, tracked as CVE-2025-47577, has been assigned a CVSS score of 10.0, the highest severity rating, indicating a significant threat to affected WordPress environments.

Technical Details

According to a report from Patchstack security researcher John Castro, the vulnerability resides in a function named tinvwl_upload_file_wc_fields_factory. This function leverages WordPress’s built-in wp_handle_upload() to process file uploads.

The Problem

The flaw arises from the way the function overrides key validation parameters:

• 'test_type' => false

• 'test_form' => false

These parameters control important security checks:

• test_type ensures that the uploaded file’s MIME type is appropriate and expected.

• test_form ensures that the $_POST['action'] parameter is valid and helps prevent cross-site request forgery (CSRF).

By setting both to false, the plugin bypasses standard file validation, allowing any file type to be uploaded, including potentially malicious scripts like .php files.

Scope and Limitations of Exploitation

While the vulnerability is serious, it has some conditional dependencies:

• The function is only accessible if the WC Fields Factory plugin is also installed and activated on the same WordPress site.

• Additionally, integration with WC Fields Factory must be enabled in the TI WooCommerce Wishlist plugin settings.

This means that not all installations of the wishlist plugin are immediately vulnerable—only those that meet these criteria are at risk.

Real-World Impact

If these conditions are met, a remote, unauthenticated attacker could exploit the vulnerability to:

1. Upload a malicious PHP file to the web server.

2. Access the uploaded file directly.

3. Execute arbitrary code remotely, effectively taking control of the compromised site.

Such an exploit could lead to:

• Full website takeover

• Installation of backdoors

• Deployment of malware or ransomware

• Theft of customer data and credentials

Mitigation and Recommendations

No Patch Available (as of now)

As of the time of writing, no official patch has been released by the plugin’s developers. The most recent vulnerable version is 2.9.2, released on November 29, 2024.

Recommendations for Site Administrators

Until a fix is made available, website administrators should take immediate action to mitigate risk:

• Deactivate and remove the TI WooCommerce Wishlist plugin, especially if the WC Fields Factory plugin is active.

• Audit file uploads and monitor for suspicious activity in the /wp-content/uploads directory.

• Use a Web Application Firewall (WAF) to help block unauthorized upload attempts.

• Monitor system logs for signs of unexpected PHP executions or new file creation.

Advice for Developers

Developers using wp_handle_upload() should ensure they do not override test_type or test_form unless absolutely necessary. Proper validation is crucial to prevent file upload vulnerabilities.

Conclusion

The disclosure of CVE-2025-47577 in the TI WooCommerce Wishlist plugin is a stark reminder of the risks posed by insecure file upload implementations. While the flaw is only exploitable under specific plugin configurations, its potential impact is severe. Until a fix is released, proactive mitigation is critical to protect WordPress sites from remote code execution attacks.

Website owners should remain vigilant, regularly audit their plugin use, and stay updated on disclosures to reduce the risk of compromise through third-party tools.