Critical flaw in TI WooCommerce Wishlist Plugin enables remote code execution
Take action: If you are using TI WooCommerce Wishlist plugin, be aware that it's critically vulnerable and has no patch. Immediately deactivate and delete the TI WooCommerce Wishlist plugin - it's exposed to the internet by it's very nature and hackers will attack it and hack your site.
Learn More
The TI WooCommerce Wishlist plugin, a popular WordPress extension used by over 100,000 active WooCommerce installations worldwide, has been found to contain a critical security vulnerability that allows unauthenticated attackers to upload arbitrary files and achieve remote code execution on affected websites.
The vulnerability is tracked as CVE-2025-47577 (CVSS score 10.0) is an unauthenticated arbitrary file upload vulnerability. It can be exploited through helper functions such as tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory. This function processes file uploads through WordPress's native wp_handle_upload method but deliberately disables critical security validations that would normally prevent malicious file uploads.
There is a prerequisite to exploitation - the WC Fields Factory plugin to be active alongside the vulnerable wishlist plugin. This reduces the scope of exploitable setups bit still leaves a considerable number of websites vulnerable, as many WooCommerce stores utilize multiple plugins for enhanced functionality.
The exploit process is straightforward and can be executed by attackers with minimal technical sophistication. Once a malicious PHP file is uploaded through the vulnerable endpoint, attackers can directly access the uploaded content on the server to achieve remote code execution.
The vulnerability affects version 2.9.2 and all previous versions of the TI WooCommerce Wishlist plugin, with no patched release currently available from the plugin developers.
Patchstack security researchers identified the vulnerability during routine security assessments and attempted to contact the plugin vendor on March 26, 2025. After receiving no response from the developers for nearly two months, the security firm proceeded to publish the vulnerability details to their database on May 16, 2025, followed by a public advisory on May 27, 2025.
Given the absence of an official patch and the vendor's continued unresponsiveness, website administrators should remove the plugin from all WordPress installations, even though this may impact store functionality for businesses that have integrated wishlist features into their customer experience.
