Cybersecurity experts have found a critical unpatched security vulnerability impacting the TI WooCommerce Wishlist plugin for WordPress that unauthorized threat actors could abuse to upload arbitrary files.
TI WooCommerce Wishlist has more than 100,000 active installations. It allows e-commerce website users to save their favorite products for later and share the lists on social media platforms. According to Patchstack researcher John Castro, “The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication.”
About the vulnerability
Labeled as CVE-2025-47577, the vulnerability has a CVSS score of 10.0 (critical), it impacts all variants of the plugin below 2.92 released on November 29, 2024. Currently, there is no patch available.
According to the security company, the issue lies in a function called “tinvwl_upload_file_wc_fields_factory,” which uses another native WordPress function “wp_handle_upload” to validate but sets the override parameters “test_form” and “test_type” to “false.”
The “test_type” override checks whether the Multipurpose Internal Mail Extension (MIME) file type is as expected, while the “test_form” verifies whether the $_POST[‘action’] parameter is correct.
When setting “test_type,” it permits the file type validation to escape effectively, permitt
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.