Cybersecurity researchers have revealed a critical, unpatched security flaw affecting the TI WooCommerce Wishlist plugin for WordPress. This vulnerability could allow unauthenticated attackers to upload arbitrary files to the server.
TI WooCommerce Wishlist, which powers over 100,000 active installations, enables e-commerce customers to save favorite products for later and share their lists on social media platforms.
“The plugin contains an arbitrary file upload vulnerability that lets attackers upload malicious files to the server without requiring authentication,” explained Patchstack researcher John Castro.
Identified as CVE-2025-47577, the flaw carries a CVSS score of 10.0. It affects all plugin versions up to and including 2.9.2, released on November 29, 2024. At present, no official patch is available.
Patchstack reported that the issue stems from a function called tinvwl_upload_file_wc_fields_factory
. This function uses WordPress’s native wp_handle_upload()
for validation but overrides the parameters test_form
and test_type
, setting them to false
.
The test_type
parameter typically checks whether the file’s MIME type is valid, while test_form
verifies that the $_POST['action']
parameter matches expectations. By disabling both, the validation process is bypassed, enabling the upload of any file type.
That said, the vulnerable function is only accessible through tinvwl_meta_wc_fields_factory
or tinvwl_cart_meta_wc_fields_factory
—which are available only when the WC Fields Factory plugin is active.
This means exploitation is possible only if the WC Fields Factory plugin is installed and activated, and the integration is enabled within the TI WooCommerce Wishlist plugin.
In a potential attack scenario, a threat actor could upload a malicious PHP file and execute remote code execution (RCE) by directly accessing it.
Plugin developers are advised to avoid setting 'test_type' => false
when using wp_handle_upload()
. In the meantime, users are urged to deactivate and delete the plugin until a patch becomes available.
Source: TheHackerNews
Read more at Impreza News