A critical vulnerability in the TI WooCommerce Wishlist plugin, affecting over 100,000 WordPress sites, has been disclosed. Rated with a CVSS score of 10.0, this flaw allows unauthenticated attackers to upload arbitrary files, potentially leading to full server compromise. Users are urged to take immediate action as no patch is currently available.

Critical Vulnerability Uncovered

Security researchers have identified a severe vulnerability, tracked as CVE-2025-47577, within the TI WooCommerce Wishlist plugin. This plugin, widely used by over 100,000 e-commerce sites, enables customers to create and share wishlists. The flaw allows unauthenticated attackers to upload malicious files, posing a significant risk to affected websites.

Technical Details of the Exploit

The vulnerability stems from a misconfiguration in the function, which uses WordPress's native function. Crucially, it disables vital security validations by setting to . This bypasses file type validation, allowing attackers to upload executable PHP files. Once uploaded, these files can be accessed and executed remotely, leading to complete system compromise.

Exploitation Conditions

Successful exploitation of this vulnerability is contingent on the simultaneous activation of the WC Fields Factory plugin. The vulnerable function is accessible via or , which are only available when the WC Fields Factory plugin is active and its integration with TI WooCommerce Wishlist is enabled.

Key Takeaways

• CVSS 10.0 Rating: The vulnerability is assigned the maximum severity score, indicating extreme risk.

• No Patch Available: As of now, the plugin developers have not released a patch for this critical flaw.

• Affected Versions: All versions of the TI WooCommerce Wishlist plugin up to and including 2.9.2 are vulnerable.

• Immediate Action Required: Users are strongly advised to deactivate and remove the plugin from their WordPress installations to mitigate the risk.

• Vendor Unresponsive: Security researchers attempted to contact the developers for nearly two months without success, leading to public disclosure.

Recommendations for Users

Given the severity of the vulnerability and the absence of a patch, users of the TI WooCommerce Wishlist plugin should take immediate action. The most effective mitigation strategy is to deactivate and completely remove the plugin from their WordPress sites. This will prevent potential exploitation and safeguard their e-commerce operations from compromise.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Wordpress TI WooCommerce Wishlist Plugin Vulnerability Exposes 100,000+ Websites To Cyberattack, CybersecurityNews.

• Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin, The Hacker News.