Security researchers at Patchstack have uncovered a severe security flaw in the TI WooCommerce Wishlist plugin, potentially affecting more than 100,000 WordPress websites. The vulnerability enables unauthorized attackers to upload malicious files to affected servers, posing a significant risk to e-commerce platforms.
Understanding the Security Vulnerability
The identified vulnerability, designated as CVE-2025-47577, has received the highest possible CVSS score of 10.0, indicating maximum severity. The security flaw affects all versions of the plugin up to and including 2.9.2, stemming from improper implementation of the tinvwl_upload_file_wc_fields_factory function that interfaces with WordPress’s native wp_handle_upload mechanism.
Technical Analysis of the Exploit
The critical security bypass occurs due to the disabled security parameters test_form and test_type within the file upload functionality. Most concerning is the test_type parameter being set to false, which completely bypasses MIME type verification for uploaded files. This oversight creates a dangerous attack vector, allowing malicious actors to upload arbitrary file types, including executable PHP scripts.
Exploitation Prerequisites
For successful exploitation, attackers require two specific conditions:
– An active WC Fields Factory plugin installation
– Enabled integration features within TI WooCommerce Wishlist
When these conditions are met, unauthorized users can potentially execute malicious code on the target server.
Immediate Security Measures
Given that no security patch is currently available, cybersecurity experts strongly advise WordPress administrators to take immediate action by either deactivating or completely removing the TI WooCommerce Wishlist plugin. This proactive measure is essential to prevent potential website compromise and data breaches.
The discovery of this vulnerability highlights the critical importance of maintaining robust security practices in WordPress e-commerce environments. Website administrators should implement regular security audits, maintain comprehensive plugin inventories, and establish rapid response protocols for addressing emerging security threats. Until a patch is released, the potential impact on e-commerce operations must be weighed against the significant security risks posed by continuing to use the vulnerable plugin version.
