Analysis Summary

A critical vulnerability, tracked as CVE-2025-47577, has been discovered in the TI WooCommerce Wishlist plugin, exposing over 100,000 WordPress websites to the risk of unauthenticated remote code execution. Rated with a maximum CVSS score of High, the flaw enables attackers to upload arbitrary files to the server, potentially resulting in complete compromise of the affected websites. The plugin, widely used to integrate wishlist functionality into WooCommerce-powered e-commerce stores, has now become a serious security threat due to this unpatched vulnerability.

The issue affects version 2.9.2 and all previous versions of the plugin, with no fix or patch currently released by the developers. The vulnerability was discovered by a researcher during routine assessments and reported to the plugin vendor on March 26, 2025. However, after nearly two months of silence from the developers, Patchstack published the vulnerability in their database on May 16, 2025, followed by a public security advisory on May 27, 2025. Due to the lack of vendor engagement, security experts are urging administrators to immediately remove the plugin from their sites.

The vulnerability stems from unsafe coding within the tinvwl_upload_file_wc_fields_factory function, which manages file uploads. This function calls WordPress’s wp_handle_upload but intentionally disables two crucial security checks: test_form and test_type. By setting 'test_type' => false, the code effectively bypasses file type validation, allowing malicious actors to upload executable files such as .php directly to the server. Once uploaded, these files can be accessed and executed remotely, providing attackers with full control over the affected system.

Notably, this vulnerability is only exploitable when the WC Fields Factory plugin is also active on the same website, forming a specific yet dangerous attack chain. This means that while the flaw does not affect every user of the TI WooCommerce Wishlist plugin, a significant subset of users who run both plugins are at immediate risk. Until a patch is released or further guidance is provided by the plugin developers, the only secure course of action is complete removal of the plugin to prevent exploitation and protect website integrity.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-47577

Affected Vendors

Remediation

• Update the WordPress plugin to the latest available version.
• Immediately remove the TI WooCommerce Wishlist plugin (version 2.9.2 and below) from your WordPress installation to eliminate exposure.
• Deactivate and delete the WC Fields Factory plugin as well, if it's active, since the vulnerability is only exploitable when both plugins are present.
• Regularly monitor your website and server files for suspicious or unauthorized PHP files, especially in directories commonly used for uploads.
• Clean up any leftover files or potential web shells from the server if you suspect exploitation has already occurred.
• Switch to an alternative, secure wishlist plugin that is actively maintained and has a strong security track record.
• Subscribe to vulnerability monitoring services (like Patchstack or WPScan) to receive alerts for newly discovered plugin flaws.
• Implement a Web Application Firewall (WAF) to help block malicious file uploads and exploit attempts in real-time.
• Audit your WordPress plugins regularly and remove or replace outdated, abandoned, or unmaintained plugins.
• Restrict file types and permissions at the server level to prevent execution of uploaded scripts (e.g., block .php execution in upload folders).