We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

News Flash

Wishlist plugin under fire: critical vulnerability threatens over 100,000 WordPress sites

A CVSS 10/10 security flaw in TI WooCommerce Wishlist plugin allows attackers to upload malicious files and execute code. No patch yet.

TI WooCommerce Wishlist

23 June 2025

Table of contents

  • A popular plugin becomes a ticking time bomb
  • Root of the issue: bypassed file upload checks
  • When exploitation becomes possible
  • No patch in sight: disable now
  • What website owners should do

A popular plugin becomes a ticking time bomb

A high-severity security bug has been identified in the plugin of TI WooCommerce Wishlist plugin for WordPress, which has over 100,000 active installations.

Patchstack has raised the alarm, assigning the vulnerability the identifier CVE-2025-47577 and a score of 10/10 on the CVSS scale, a sign of the extreme risk for anyone using the component.

The plugin allows customers to create and share wishlists of their favorite products in WooCommerce-powered shops. However, the wishlist feature becomes a security nightmare when combined with the WC Fields Factory plugin.

Root of the issue: bypassed file upload checks

The problem arises from the tinvwl_upload_file_wc_fields_factory function, which uses wp_handle_upload to handle uploaded files.

Two key parameters – test_form and test_type – are set to false. This means that the system does not verify the file type or the origin of the request.

Thus, an unauthenticated attacker can upload files of any type, including malicious PHP files, paving the way for remote code execution on the server.

When exploitation becomes possible

The flaw becomes exploitable only if:

  • The WC Fields Factory plugin is active;
  • The integration is enabled in TI WooCommerce Wishlist.

Only in this configuration is it possible to access the vulnerable function, through tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory.

However, considering the diffusion of the plugin and the absence of a patch, the risk remains very high.

No patch in sight: disable now

As of now, there is no available patch. Patchstack strongly recommends disabling or removing the plugin from all websites until a security fix is released.

This kind of flaw, known as arbitrary file upload, is among the most dangerous in the world of WordPress cyber security, because it allows direct, silent and devastating attacks.

What website owners should do

  1. Check if the plugin is active on your website.
  2. Confirm if WC Fields Factory is also enabled.
  3. If both are active, deactivate or delete TI WooCommerce Wishlist immediately.
  4. Monitor the plugin’s official page for updates.

Questions and answers

  1. What is TI WooCommerce Wishlist?
    A plugin that allows users to create shareable wishlists on WooCommerce websites.
  2. How many sites are affected?
    More than 100,000 active installations.
  3. What type of vulnerability is it?
    An arbitrary file upload flaw leading to remote code execution.
  4. What is the CVE identifier?
    CVE-2025-47577.
  5. What is the CVSS score?
    10 out of 10, the highest risk level.
  6. Is there a patch available?
    No, there is currently no fix.
  7. Can attackers exploit this without logging in?
    Yes, it is exploitable by unauthenticated users.
  8. 8Is it only vulnerable with WC Fields Factory?
    Yes, both plugins must be active for exploitation.
  9. How do I protect my site?
    Immediately deactivate or uninstall the plugin.
  10. 10. Are there secure alternatives?
    Yes, there are audited wishlist plugins with better security practices.
2
To top