Get Started

Critical Unauthenticated File Upload Vulnerability in TI WooCommerce Wishlist Plugin (CVE-2025-47577)

A critical vulnerability has been discovered in the popular TI WooCommerce Wishlist WordPress plugin, which affects all versions up to 2.9.2. This security flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP shells, and fully compromise the target server.

The vulnerability, tracked as CVE-2025-47577, carries a maximum CVSS score of 10.0.

Summary

  • Vulnerability ID: CVE-2025-47577

  • Type: Unrestricted File Upload

  • Severity: Critical (CVSS 10.0)

  • Affected Plugin: TI WooCommerce Wishlist

  • Affected Versions: ≤ 2.9.2

  • Patch Status: No official fix as of June 2025

  • Prerequisites: WC Fields Factory plugin must also be active

Technical Analysis

The vulnerability lies in the misuse of the WordPress function wp_handle_upload() inside the tinvwl_upload_file_wc_fields_factory() function. The plugin disables the following crucial parameters

				
					'test_form' => false,
'test_type' => false,

By bypassing form validation and MIME type checking, the plugin opens the door for attackers to upload any file type, including executable PHP cod,e without authentication

Vulnerable Code

				
					function tinvwl_upload_file_wc_fields_factory( $file ) {
    if ( ! function_exists( 'wp_handle_upload' ) ) {
        require_once( ABSPATH . 'wp-admin/includes/file.php' );
    }
    $upload = wp_handle_upload(
        $file,
        [
            'test_form' => false,
            'test_type' => false,
        ]
    );
    return $upload;
}

When the WC Fields Factory plugin is active, it triggers the execution path that makes this function accessible via AJAX, thus enabling a remote attacker to upload files to the server.

Potential Impact

If exploited, an attacker could:

  • Gain full remote code execution (RCE)

  • Install backdoors or web shells

  • Hijack WordPress admin sessions

  • Modify or deface website content

  • Exfiltrate sensitive data from the server

Potential Impact

If exploited, an attacker could:

  • Gain full remote code execution (RCE)

  • Install backdoors or web shells

  • Hijack WordPress admin sessions

  • Modify or deface website content

  • Exfiltrate sensitive data from the server

Mitigation and Recommendations

Immediate Actions

  • Deactivate and remove the TI WooCommerce Wishlist plugin.

  • Disable the WC Fields Factory plugin if active.

File System Checks

  • Review wp-content/uploads/ for any unauthorized or suspicious .php, .phtml, or .sh files.

Harden WordPress Security

  • Use WAFs like Cloudflare WAF or Sucuri Firewall.

  • Install security plugins like Wordfence or iThemes Security.

  • Set proper server-side permissions to disallow .php execution in the /uploads directory.

Final Thoughts

CVE-2025-47577 is a critical zero-day affecting thousands of WordPress sites using the TI WooCommerce Wishlist plugin. Since no official fix has been released yet, proactive deactivation and file monitoring are essential to avoid compromise.

Stay secure, stay patched.
QState Cyber Security Team

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter

Signup our newsletter to get update information, news, insight or promotions.

Latest Article

Signup our newsletter to get update information, news, insight or promotions.

QState Cyber Security - Powering Protection, Earning Your Trust.

Twitter Facebook-f Linkedin-in Youtube Rss
Services
Support
Company
Copyright © 2023 SiberSec, All rights reserved. Powered by MoxCreative.