A severe security vulnerability in the widely used TI WooCommerce Wishlist plugin has exposed more than 100,000 WordPress websites to potential cyberattacks. Security experts warn that exploitation may already be underway.
The flaw, tracked as CVE-2025-47577, has received the highest possible severity rating with a CVSS score of 10.0. It allows unauthenticated attackers to upload arbitrary files to a site, potentially leading to full server compromise.
Widespread Risk With No Available Patch
The TI WooCommerce Wishlist plugin adds wishlist features to online stores built with WooCommerce. It is widely used by e-commerce websites globally. However, version 2.9.2 and all earlier versions are affected by this critical vulnerability.
As of now, the plugin’s developers have not released a patch. This leaves site administrators with few options other than to remove the plugin entirely to stay protected.
Patchstack, a cybersecurity firm, discovered the flaw during routine testing. The team contacted the plugin vendor on March 26, 2025, but received no response. On May 16, the vulnerability was added to Patchstack’s threat database, and a public advisory was issued on May 27.
Technical Details of the Exploit
The vulnerability exists in the plugin’s file upload handling, specifically in the tinvwl_upload_file_wc_fields_factory function. This function calls WordPress’s native wp_handle_upload but disables two key security checks.
function tinvwl_upload_file_wc_fields_factory( $file ) {
if (!function_exists( 'wp_handle_upload' ) ) {
require_once( ABSPATH . 'wp-admin/includes/file.php' );
}
$upload = wp_handle_upload(
$file,
[
'test_form' => false,
'test_type' => false,
]
);
return $upload;
}
The issue lies in the 'test_type' => false setting, which disables file type validation. This allows attackers to upload and execute malicious PHP files on the server, leading to a full takeover of the affected website.
Importantly, the vulnerability only becomes exploitable if the WC Fields Factory plugin is also installed and active. This creates a specific attack condition, but it still affects a significant number of websites.
Security Recommendations
Until a patch is released, cybersecurity professionals strongly advise website administrators to disable or remove the TI WooCommerce Wishlist plugin from their WordPress installations, especially if the WC Fields Factory plugin is also in use.
The situation highlights the ongoing risks associated with third-party WordPress plugins and the importance of responsive vendor communication in addressing security threats.
