A severe security vulnerability has been discovered in the popular TI WooCommerce Wishlist plugin, jeopardizing the security of more than 100,000 WordPress-powered eCommerce websites.
Security researchers have identified an unauthenticated arbitrary file upload vulnerability (CVE-2025-47577) remaining unpatched in the plugin’s most recent version, 2.9.2, as of May 27, 2025.
This flaw enables attackers to upload and execute malicious files on affected WordPress installations, posing an immediate risk of remote code execution (RCE) and complete site compromise.
Technical Analysis
The vulnerability resides in the plugin’s tinvwl_upload_file_wc_fields_factory function, located in the integrations/wc-fields-factory.php script.
While this function utilizes WordPress’s built-in wp_handle_upload() method, it dangerously disables critical file type validation by setting the ‘test_type’ parameter to false.
This bypasses the standard safeguards that restrict uploads to safe file types like images or documents and instead allows unrestricted file uploads including executable PHP scripts.
If exploited, an attacker can upload a malicious file and directly access and execute it, gaining unauthorized control over the site.
Importantly, the attack vector becomes accessible only if the WC Fields Factory plugin is also installed and activated alongside TI WooCommerce Wishlist.
The vulnerable function can then be triggered from either the tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory hooks.
While this does limit exposure to websites running both plugins, the combined popularity of these extensions means thousands of stores remain at risk.
No Patch Available
Despite the critical nature of this flaw, there is currently no patched version of the TI WooCommerce Wishlist plugin available.
Security experts urge all users to deactivate and delete the plugin immediately to prevent exploitation.
WooCommerce store owners relying on wishlist functionality should seek alternative, actively maintained plugins until a fixed release is provided.
Those utilizing WC Fields Factory are particularly advised to audit their installations for any suspicious uploaded files and to reinforce server security.
According to the Report, Patchstack, a leading WordPress security platform, has confirmed that all paid customers are protected from this vulnerability, while even free Community accounts can scan for exposure.
The company offers affordable site protection and specialized security audits, providing an extra layer of defense for both end users and plugin developers during this high-risk period.
For plugin developers, this incident highlights the necessity of adhering to WordPress’s default security measures particularly when handling file uploads.
Developers are encouraged to avoid disabling file type checks by setting ‘test_type’ to false or an empty string and to rigorously validate and sanitize all user-supplied files.
This precaution substantially reduces the risk of inadvertent file upload vulnerabilities and remote code execution.
In summary, until the TI WooCommerce Wishlist plugin releases a security patch, affected site owners are strongly encouraged to remove the plugin from their installations.
Vigilance, regular vulnerability scans, and adherence to best security practices will remain paramount in protecting eCommerce operations from similar threats.
Security researchers promise to provide updates if a patched version becomes available, underscoring the need for rapid response and community awareness in the evolving WordPress ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
