Cybersecurity researchers have disclosed a crucial unpatched safety flaw impacting TI WooCommerce Wishlist plugin for WordPress that may very well be exploited by unauthenticated attackers to add arbitrary recordsdata.
TI WooCommerce Wishlist, which has over 100,000 energetic installations, is a device to permit e-commerce website clients to save lots of their favourite merchandise for later and share the lists on social media platforms.
“The plugin is weak to an arbitrary file add vulnerability which permits attackers to add malicious recordsdata to the server with out authentication,” Patchstack researcher John Castro mentioned.
Tracked as CVE-2025-47577, the vulnerability carries a CVSS rating of 10.0. It impacts all variations of the plugin beneath and together with 2.9.2 launched on November 29, 2024. There may be at present no patch obtainable.
The web site safety firm mentioned the difficulty lies in a perform named “tinvwl_upload_file_wc_fields_factory,” which, in flip, makes use of one other native WordPress perform “wp_handle_upload” to carry out the validation, however units the override parameters “test_form” and “test_type” to “false.”
The “test_type” override is used to test whether or not the Multipurpose Web Mail Extension (MIME) kind of the file is as anticipated, whereas “test_form” is to test to confirm if the $_POST[‘action’] parameter is as anticipated.
In setting “test_type” to false, it permits the file kind validation to be successfully bypassed, thereby permitting any file kind to be uploaded.
That having mentioned, the weak perform is accessible by way of tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, that are solely obtainable when the WC Fields Manufacturing unit plugin is energetic.
This additionally signifies that profitable exploitation is just doable if the WC Fields Manufacturing unit plugin is put in and activated on the WordPress website and the mixing is enabled on the TI WooCommerce Wishlist plugin.
In a hypothetical assault situation, a menace actor might add a malicious PHP file and obtain distant code execution (RCE) by instantly accessing the uploaded file.
Plugin builders are really helpful to take away or keep away from setting ‘test_type’ => false when utilizing wp_handle_upload(). Within the absence of a patch, customers of the plugin are urged to deactivate and delete the plugin from their websites.
