Cybersecurity researchers have identified a severe vulnerability in the TI WooCommerce Wishlist plugin for WordPress, which is currently unpatched and affects over 100,000 installations. This vulnerability, tracked as CVE-2025-47577 with a CVSS score of 10.0, enables attackers to upload arbitrary malicious files without authorization due to improper validation. The issue arises from how the plugin overrides key validation checks in a specific function, making exploitation feasible only if the WC Fields Factory plugin is also installed and active, raising concerns for e-commerce site security.
Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.
The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication, according to Patchstack researcher John Castro.
Tracked as CVE-2025-47577, the vulnerability has a CVSS score of 10.0 and affects all plugin versions 2.9.2 or earlier, with no current patch.
The vulnerability originates from a function that improperly configures validation parameters, allowing attackers to bypass file type checks and upload malicious files.
Collection
[
|
...
]