Critical Vulnerability Discovered in Popular TI WooCommerce Wishlist Plugin

Cybersecurity researchers have uncovered a severe, unpatched vulnerability in the TI WooCommerce Wishlist plugin for WordPress. This vulnerability could allow unauthenticated attackers to upload arbitrary files to a website’s server, potentially leading to full site compromise.

The vulnerability, CVE-2025-47577, has been assigned the highest CVSS severity score of 10.0, marking it a critical security risk. The flaw affects all plugin versions up to and including 2.9.2, which was released on November 29, 2024.

With over 100,000 active installations, the TI WooCommerce Wishlist plugin is widely used by e-commerce websites to let customers save products for later and share their wishlists on social media. However, due to this vulnerability, those sites may be at serious risk.

“The plugin is vulnerable to an arbitrary file upload vulnerability, which allows attackers to upload malicious files to the server without authentication,” explained John Castro, a researcher at the cybersecurity firm Patchstack.

How does the Exploit Work?

The issue originates from a function in the plugin called tinvwl_upload_file_wc_fields_factory, which handles file uploads. This function leverages WordPress’s native wp_handle_upload() function — but with a dangerous twist.

WordPress checks the file type (test_type) and the form submission context (test_form) to validate uploads. However, in this case, both checks are disabled by setting test_type and test_form to false. This bypasses all file types and context validation, allowing attackers to upload any file, including potentially harmful PHP scripts.

If exploited, a threat actor could achieve remote code execution (RCE) by uploading a malicious PHP file and directly accessing it via the website.