A essential safety vulnerability within the common TI WooCommerce Wishlist plugin has left over 100,000 WordPress web sites uncovered to potential cyberattacks, with safety researchers warning of imminent exploitation dangers.
The vulnerability, designated as CVE-2025-47577 and assigned the utmost CVSS rating of 10.0, permits unauthenticated attackers to add arbitrary recordsdata to affected web sites, doubtlessly main to finish server compromise.
The TI WooCommerce Wishlist plugin, which provides wishlist performance to WooCommerce shops, has change into a big safety legal responsibility for e-commerce web sites worldwide.
The vulnerability particularly impacts model 2.9.2 and all earlier variations, with no patched launch at the moment accessible from the plugin builders.
This safety flaw represents one of the vital extreme WordPress plugin vulnerabilities found in latest months, given its widespread deployment and the severity of potential assaults.
Patchstack analysts recognized this essential vulnerability throughout routine safety assessments and instantly tried to contact the plugin vendor on March 26, 2025.
Nonetheless, after receiving no response from the builders for practically two months, the safety agency proceeded to publish the vulnerability particulars to their database on Could 16, 2025, adopted by a public advisory on Could 27, 2025.
The shortage of vendor response has left web site directors with restricted choices past fully eradicating the plugin from their installations.
Technical An infection Mechanism
The vulnerability stems from a elementary flaw within the plugin’s file add dealing with mechanism, particularly inside the tinvwl_upload_file_wc_fields_factory perform.
This perform processes file uploads by way of WordPress’s native wp_handle_upload perform however intentionally disables essential safety validations that will usually forestall malicious file uploads.
The problematic code demonstrates a harmful configuration that bypasses WordPress’s built-in safety measures:-
perform tinvwl_upload_file_wc_fields_factory( $file ) {
if (!function_exists( ‘wp_handle_upload’ ) ) {
require_once( ABSPATH . ‘wp-admin/contains/file.php’ );
}
$add = wp_handle_upload(
$file,
[
‘test_form’ => false,
‘test_type’ => false,
]
);
return $add;
}
The essential safety failure happens by way of the ‘test_type’ => false parameter, which explicitly disables file sort validation that will usually limit uploads to protected file varieties.
This configuration permits attackers to add executable PHP recordsdata on to the server, which may then be accessed and executed remotely to realize full system compromise.
The vulnerability is simply exploitable when the WC Fields Manufacturing facility plugin is concurrently lively, creating a particular assault vector that impacts a subset of the plugin’s consumer base.
Strive in-depth sandbox malware evaluation for your SOC group. Get ANY.RUN particular provide solely till Could 31 -> Strive Right here
