Cybersecurity experts have identified a significant unpatched security vulnerability in the TI WooCommerce Wishlist plugin for WordPress, potentially affecting over 100,000 active installations. The flaw allows unauthenticated attackers to upload arbitrary files, raising alarms among website security professionals.
The vulnerability, officially tracked as CVE-2025-47577, has been assigned a critical CVSS score of 10.0. It impacts all versions of the plugin released up to and including version 2.9.2, which was made available on November 29, 2024. Current assessments indicate that no patches have been released to mitigate the risk.
According to researcher John Castro from Patchstack, the security issue resides in a function called “tinvwl_upload_file_wc_fields_factory”. This function utilizes the native WordPress method “wp_handle_upload” to perform file validation but erroneously overrides two critical parameters, setting both “test_form” and “test_type” to “false”.
By bypassing these parameters, attackers can upload files of any type, including potentially malicious PHP files, which could lead to remote code execution (RCE) if successfully exploited. It has been noted that exploitation of the vulnerability requires the WC Fields Factory plugin to be active, further compounding the risk for affected WordPress installations.
To safeguard against this threat, plugin developers are recommended to refrain from setting ‘test_type’ to false within the wp_handle_upload() function. In the absence of a fix, users are advised to deactivate and uninstall the TI WooCommerce Wishlist plugin immediately.