Vulnerability in WordPress system may expose more than 100,000 sites to potential threats
A critical-severity vulnerability has been discovered in the TI WooCommerce Wishlist plugin, posing significant risks to thousands of websites, including those running e-commerce sites.
Security researchers from Patchstack have identified an arbitrary file upload flaw in the plugin, enabling unauthorized actors to upload malicious files to the underlying server 1. As a result, these websites may be at risk of full takeover 1.
The vulnerability has been assigned CVE-2025-47577, and it is categorized as having a critical severity score of 10/10 due to the potential for remote code execution (RCE) 1.
According to The Hacker News, the TI WooCommerce Wishlist plugin, an extension for WooCommerce stores, has over 100,000 active installations, widening the attack surface 3. It offers features such as social sharing options, AJAX-based functionality, multiple wishlist support, and email notifications 3.
As of this report, there is no patch available for the vulnerability 2. Given the critical nature of the flaw and the lack of a patch, users are strongly advised to either deactivate and remove the plugin 1 or ensure that their sites remain secure by regularly inspecting upload directories for suspicious files and using security tools to limit file upload permissions and detect potential attacks 1.
Additionally, users should keep an eye on updates from the vendor and apply new patches once they become available 1. Proactive security audits can also help identify and address any vulnerabilities 1.
It's important to note that for an exploit to be successful, the WC Fields Factory plugin must be installed and running on the affected site, with the integration enabled on the TI WooCommerce Wishlist plugin 1. The WC Fields Factory plugin allows store owners to add custom fields to product pages, variations, checkout forms, and the WordPress admin interface 3.
For further reading, you might be interested in our articles about the best authenticator apps, the best password managers, or the Top WordPress plugins found to have security flaws 4.
- In light of the current cybersecurity threat, users of e-commerce sites should prioritize data-and-cloud-computing security measures, such as inspecting upload directories regularly and limiting file upload permissions, to prevent any potential attacks related to the vulnerability in the TI WooCommerce Wishlist plugin.
- Given the critical severity of the arbitrary file upload flaw discovered in the TI WooCommerce Wishlist plugin, it is essential for technology leaders and cybersecurity experts to strategize proactive approaches, including security audits and prompt application of patches, to fortify the security of their e-commerce sites and mitigate the risks associated with this vulnerability.
