A severe flaw has been discovered in the TI WooCommerce Wishlist plugin, which is used by more than 100,000 WordPress websites. The vulnerability allows unauthenticated attackers to upload any type of file to a website, potentially leading to full site compromise through remote code execution.
TI WooCommerce Wishlist Plugin
The TI WooCommerce Wishlist plugin is widely used by online store owners to let their customers create and share wishlists. It helps shoppers save their favorite products and share them on social media, boosting user engagement and potential sales. However, a newly discovered vulnerability in this plugin is putting thousands of websites at serious risk.
Security researchers at Patchstack have revealed that the plugin contains an arbitrary file upload vulnerability that can be exploited without authentication. Tracked as CVE-2025-47577, this flaw has been assigned the highest possible CVSS score—10.0, indicating a critical threat.
The vulnerability affects all versions of the plugin up to and including version 2.9.2, which was released on November 29, 2024. Currently, there is no patch available, making the situation even more concerning for WordPress website administrators.
How the Vulnerability Works
The issue lies in a function called tinvwl_upload_file_wc_fields_factory, which handles file uploads. This function uses WordPress’s native wp_handle_upload() method to manage the file upload process. However, it improperly overrides two important parameters: test_form and test_type, both set to false.
test_form=false: Disables validation of the form action to ensure it’s coming from a legitimate request.
test_type=false: Disables file type validation, allowing any file type to be uploaded—including dangerous ones like
.php.
By bypassing these safety checks, attackers can upload malicious files to the server. For instance, an attacker could upload a PHP shell script and then execute it remotely, effectively gaining full control of the website—a technique known as remote code execution (RCE).
Although the vulnerability is serious, it requires the WC Fields Factory plugin to be installed and active for exploitation to succeed. The vulnerable upload function is only accessible when the integration between WC Fields Factory and the TI WooCommerce Wishlist plugin is enabled.
So, while the flaw is extremely dangerous, not all sites using the TI Wishlist plugin are automatically vulnerable. Only those with the WC Fields Factory plugin active and integrated with the Wishlist plugin are at immediate risk.
As of now, there is no official patch from the developers of the TI WooCommerce Wishlist plugin. Security experts are urging site administrators to take immediate action to protect their websites.
Recommended Actions:
Deactivate and remove the plugin from your WordPress site if you are using version 2.9.2 or earlier.
Check for the presence of WC Fields Factory and disable it if it’s not in active use.
Scan your server for suspicious files, especially newly uploaded PHP files.
Monitor your logs for unusual activity, such as unknown IP addresses accessing file paths directly.
Until a security update is released, these steps are critical in preventing potential attacks.
Developers using the wp_handle_upload() function in their WordPress plugins are advised to avoid disabling file and form validation. Specifically, they should not set test_type or test_form to false, as doing so bypasses important security checks and opens the door to arbitrary file uploads.
By adhering to secure coding practices, plugin developers can prevent similar vulnerabilities from appearing in the future.
This vulnerability highlights the importance of keeping WordPress plugins up to date and being cautious about which plugins are installed on a website. Even widely used plugins with many active installations can contain critical security flaws that put your entire site at risk.
If you are using the TI WooCommerce Wishlist plugin on your WordPress site, take this warning seriously. Until a fix is released, the best course of action is to uninstall the plugin immediately and consider alternative wishlist solutions that are actively maintained and verified as secure.
Interesting Article : Microsoft OneDrive File Picker Bug Exposes Entire Cloud Storage to Third-Party Apps