Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.
TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social media platforms.
“The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication,” Patchstack researcher John Castro said.
Tracked as CVE-2025-47577, the vulnerability carries a CVSS score of 10.0. It affects all versions of the plugin below and including 2.9.2 released on November 29, 2024. There is currently no patch available.
The website security company said the issue lies in a function named “tinvwl_upload_file_wc_fields_factory,” which, in turn, uses another native WordPress function “wp_handle_upload” to perform the validation, but sets the override parameters “test_form” and “test_type” to “false.”
The “test_type” override is used to check whether the Multipurpose Internet Mail Extension (MIME) type of the file is as expected, while “test_form” is to check to verify if the $_POST[‘action’] parameter is as expected.
In setting “test_type” to false, it allows the file type validation to be effectively bypassed, thereby allowing any file type to be uploaded.
That having said, the vulnerable function is accessible via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, which are only available when the WC Fields Factory plugin is active.
This also means that successful exploitation is only possible if the WC Fields Factory plugin is installed and activated on the WordPress site and the integration is enabled on the TI WooCommerce Wishlist plugin.
In a hypothetical attack scenario, a threat actor could upload a malicious PHP file and achieve remote code execution (RCE) by directly accessing the uploaded file.
Plugin developers are recommended to remove or avoid setting ‘test_type’ => false when using wp_handle_upload(). In the absence of a patch, users of the plugin are urged to deactivate and delete it from their sites.
