Full Report
Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files. TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social
Analysis Summary
# Vulnerability: Unauthenticated Arbitrary File Upload in TI WooCommerce Wishlist Plugin
## CVE Details
- CVE ID: CVE-2025-47577
- CVSS Score: 10.0 (Critical)
- CWE: (Not explicitly stated, but related to Improper Input Validation/File Upload)
## Affected Systems
- Products: TI WooCommerce Wishlist plugin for WordPress
- Versions: All versions of the plugin up to and including 2.9.2 (released November 29, 2024)
- Configurations: Successful exploitation requires both the **TI WooCommerce Wishlist plugin** and the **WC Fields Factory plugin** to be installed and activated, with the integration enabled between them.
## Vulnerability Description
The TI WooCommerce Wishlist plugin is vulnerable to a critical unauthenticated arbitrary file upload flaw in the file handling function named `tinvwl_upload_file_wc_fields_factory`. This function incorrectly utilizes WordPress's `wp_handle_upload()` function while setting essential validation parameters `'test_type'` and `'test_form'` to `false`. Setting `'test_type'` to false bypasses the Multipurpose Internet Mail Extension (MIME) type validation, allowing an attacker to upload arbitrary file types, including malicious PHP files.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the vulnerability is currently **unpatched**.
- Complexity: Low (as it requires no authentication).
- Attack Vector: Adjacent (requires network access to the vulnerable WordPress site).
## Impact
- Confidentiality: High (Uploading a web shell leads to potential information disclosure)
- Integrity: High (Successful exploitation can lead to system modification via uploaded files)
- Availability: High (Achieving Remote Code Execution (RCE) can lead to denial of service or complete system compromise)
## Remediation
### Patches
- No patch was available at the time of the disclosure. Developers recommend removing or avoiding setting `'test_type'` => false when using `wp_handle_upload()`.
### Workarounds
- Users of the plugin are strongly urged to **deactivate and delete the TI WooCommerce Wishlist plugin** from their WordPress sites until an official patch is released.
## Detection
- Indicators of compromise would involve unusual file uploads to directories accessible by the web server, especially PHP files in unexpected locations.
- Detection should focus on monitoring file creation events, particularly in plugin upload directories, specifically looking for files created around the time of access to the functions `tinvwl_meta_wc_fields_factory` or `tinvwl_cart_meta_wc_fields_factory` when both the Wishlist and WC Fields Factory plugins are present.
## References
- Vendor Advisories: (None specified, research was conducted by Patchstack)
- Relevant links:
- `hXXps://thehackernews.com/2025/05/over-100000-wordpress-sites-at-risk.html`
- `hXXps://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce-wishlist-plugin/`