A major vulnerability in the widely used TI WooCommerce Wishlist plugin has exposed over 100,000 WordPress websites to cyber threats, prompting serious concerns among security experts.
Tracked as CVE-2025-47577, the flaw carries a maximum CVSS score of 10.0, allowing unauthenticated attackers to upload arbitrary files to vulnerable sites. This could potentially give hackers full control over affected servers.
The plugin, known for adding wishlist features to WooCommerce stores, now poses a serious risk to global e-commerce platforms. Versions 2.9.2 and earlier remain unpatched, leaving users defenseless as developers have yet to release a fix.
Patchstack security analysts discovered the flaw during routine assessments and first reached out to the plugin vendor on March 26, 2025. After receiving no response for nearly two months, they published the vulnerability details in their database on May 16, followed by a public advisory on May 27.
Due to the developer’s silence, experts recommend that site administrators remove the plugin entirely until a secure version is released.
How the Exploit Works:
The issue lies in the plugin’s tinvwl_upload_file_wc_fields_factory function. It utilizes WordPress’s wp_handle_upload system but disables essential security checks through the 'test_type' => false parameter. This omission allows attackers to upload and execute malicious PHP files directly on the server.
Importantly, the exploit only becomes active if the WC Fields Factory plugin is also installed and active, narrowing the threat to a specific segment of users—but one still large enough to warrant immediate action.
Security professionals continue to urge administrators to act quickly, warning that the risk of exploitation remains extremely high.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
