This article highlights a critical unpatched file upload vulnerability in the TI WooCommerce Wishlist plugin that allows attackers to execute remote code. Users are advised to deactivate and delete the plugin until a patch is released. #TWWooCommerceWishlist #VulnerabilityCVE-2025-47577
Keypoints
- The TI WooCommerce Wishlist plugin is vulnerable to an unauthenticated arbitrary file upload.
- The vulnerability exploits the wp_handle_upload function with βtest_typeβ set to false, bypassing file validation.
- The security flaw is only exploitable when the WC Fields Factory plugin is active and integrated.
- There is currently no patched version of the plugin available on the market.
- Users should deactivate and delete the plugin to prevent potential remote code execution attacks.
Read More: https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce-wishlist-plugin/