Cybersecurity experts have revealed a critical security flaw in the TI WooCommerce Wishlist plugin for WordPress, which can allow attackers to upload malicious files without authentication. This vulnerability, affecting over 100,000 sites, could lead to remote code execution if exploited. #CVE-2025-47577 #WordPressPlugins
Keypoints
- The vulnerability is due to improper file type validation in the TI WooCommerce Wishlist plugin.
- Attackers can exploit the flaw only if the WC Fields Factory plugin is active and integrated.
- The flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts.
- The issue is caused by the โtest_typeโ parameter being set to false, bypassing file validation.
- No patch is available yet, and users are advised to deactivate and delete the affected plugin.
Read More: https://thehackernews.com/2025/05/over-100000-wordpress-sites-at-risk.html