WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a widely used WordPress extension with over 100,000 active installations.

This plugin enables WooCommerce store owners to integrate wishlist functionality into their online shops, often alongside other extensions like WC Fields Factory for enhanced form customization.

However, the latest version (2.9.2 as of this report) and all prior versions harbor an unauthenticated arbitrary file upload vulnerability, tracked as CVE-2025-47577, posing a significant threat to websites utilizing this tool.

With no patched version currently available, users are strongly advised to deactivate and delete the plugin to safeguard their systems.

Unauthenticated File Upload Vulnerability

The vulnerability stems from a critical oversight in the plugin’s code, specifically within the tinvwl_upload_file_wc_fields_factory function located in the integrations/wc-fields-factory.php file.

This function leverages WordPress’s wp_handle_upload mechanism, which typically enforces file type validation to prevent the upload of malicious content.

However, the plugin explicitly disables this safeguard by setting the parameter 'test_type' => false, effectively allowing attackers to upload any file type, including executable PHP scripts.

Such files can be used to achieve remote code execution (RCE) by directly accessing the uploaded content on the server.

Technical Breakdown of the Exploit

The exploit is accessible via helper functions like tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, but it requires the WC Fields Factory plugin to be active, narrowing the scope of exploitable setups yet still leaving a considerable number of websites vulnerable.

An attacker could exploit this flaw without any authentication, uploading malicious code to compromise the server, steal data, or disrupt operations, making this a high-severity issue for affected WooCommerce stores.

The absence of a patch amplifies the urgency, as there is no immediate fix to mitigate the risk beyond complete removal of the plugin.

For users of Patchstack’s paid services, protection against this vulnerability is already in place, providing a temporary shield for those subscribed at a minimal cost of $5 per site per month after signing up for a free Community account.

Plugin developers and hosting providers are also encouraged to explore Patchstack’s security audit services and Enterprise API to bolster defenses at scale.

Meanwhile, the broader WordPress community awaits an official update from the TI WooCommerce Wishlist team, hoping for a resolution to reinstate secure functionality.

Until then, the recommended course of action remains clear: disable and uninstall the plugin to prevent potential cyberattacks.

In a broader context, this incident underscores the importance of rigorous security practices in plugin development.

According to the Report, The flawed implementation of bypassing WordPress’s default file validation serves as a cautionary tale for developers, highlighting how a single misconfiguration can expose thousands of websites to exploitation.

For now, store owners must remain vigilant, prioritizing security over convenience, as the digital landscape continues to grapple with evolving cyber threats.

If a patched version emerges, updates will be communicated promptly to ensure users can restore wishlist functionality without compromising safety.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!