WordPress powers millions of websites worldwide, including many small business e-commerce stores. While plugins enhance capabilities and user experience, vulnerabilities in them can pose severe security risks. Recently, a critical zero-day security flaw was disclosed impacting the widely used TI WooCommerce Wishlist plugin. With over 100,000 active installations, this vulnerability exposes numerous WordPress sites to potentially devastating remote attacks.
Understanding the TI WooCommerce Wishlist Plugin
The TI WooCommerce Wishlist plugin is designed to boost WooCommerce store sales by allowing customers to save and share their favorite products for future purchases. It offers features like customizable “Add to Wishlist” buttons, shareable lists on social media, and integration with multiple WooCommerce add-ons.
Thanks to its usability and rich feature set, it has earned a strong reputation with a high user rating and thousands of positive reviews. However, the recent discovery of a security vulnerability threatens to undermine its trustworthiness.
The Critical CVE-2025-47577 Vulnerability
Discovered by the cybersecurity researchers at Patchstack, the plugin suffers from an arbitrary file upload vulnerability with a CVSS severity score of 10.0 — the highest level of criticality.
This flaw allows unauthenticated attackers to upload malicious files to a targeted WordPress server without any authentication, potentially enabling remote code execution (RCE). Exploitation could let attackers gain control over the website, steal sensitive data, or launch further attacks.
Technical Details Behind the Vulnerability
The core issue arises from the function tinvwl_upload_file_wc_fields_factory which uses WordPress’s native wp_handle_upload() function but overrides the test_type and test_form parameters by setting them to false. This disables important validation checks:
test_typetypically verifies that the file’s MIME type matches expected types, preventing unauthorized file formats.test_formensures the file upload request originates from an expected form.
By disabling these safeguards, the plugin allows uploading any file type, including harmful PHP scripts.
However, the vulnerability is only exploitable if the site has the WC Fields Factory plugin installed and activated, and the integration with the Wishlist plugin is enabled.
Potential Impact on WordPress Sites
- Attackers can upload malicious PHP backdoors to execute arbitrary commands on the server.
- Full compromise of hosted websites, including defacement, data theft, and further malware distribution.
- Loss of customer trust and potential business disruption for e-commerce stores relying on WooCommerce.
- High risk to sites running both TI WooCommerce Wishlist and WC Fields Factory plugins.
Current Status and Recommendations
As of now, no official patch has been released to fix this vulnerability. Developers of the TI WooCommerce Wishlist plugin recommend removing or avoiding setting 'test_type' => false in wp_handle_upload().
Users of the plugin are strongly advised to:
- Deactivate and delete the TI WooCommerce Wishlist plugin from their WordPress sites until a confirmed patch is available.
- Check if the WC Fields Factory plugin is installed and integrated with the Wishlist plugin; if so, prioritize mitigation.
- Regularly monitor official plugin channels and WordPress security advisories for updates.
- Implement robust security measures for their WordPress sites including Web Application Firewalls (WAF), file integrity monitoring, and strict user permissions.
Protecting Your WordPress Site
Small business owners relying on WordPress and WooCommerce should take immediate action to safeguard their online stores from emerging threats. Alongside plugin management:
- Keep all plugins and WordPress core updated to their latest versions.
- Use security plugins or services that detect anomalous file uploads or unauthorized access attempts.
- Maintain regular backups and have a recovery plan in case of compromise.
- Consider professional cybersecurity services for vulnerability assessment and mitigation.
If you need expert assistance securing your WordPress ecommerce site against such vulnerabilities, CyberDef’s professional security solutions can help you implement comprehensive defenses.
Conclusion
The critical vulnerability in the TI WooCommerce Wishlist plugin highlights the importance of cautious plugin use and vigilant maintenance. With over 100,000 sites affected, the risk of exploitation is significant, making immediate action essential.
By following best security practices, keeping plugins updated, and leveraging expert cybersecurity support when needed, small business owners can protect their WordPress stores and customer trust.