Cybersecurity researchers have disclosed a important unpatched safety flaw impacting TI WooCommerce Wishlist plugin for WordPress that might be exploited by unauthenticated attackers to add arbitrary recordsdata.
TI WooCommerce Wishlist, which has over 100,000 lively installations, is a device to permit e-commerce website prospects to avoid wasting their favourite merchandise for later and share the lists on social media platforms.
“The plugin is susceptible to an arbitrary file add vulnerability which permits attackers to add malicious recordsdata to the server with out authentication,” Patchstack researcher John Castro stated.
Tracked as CVE-2025-47577, the vulnerability carries a CVSS rating of 10.0. It impacts all variations of the plugin under and together with 2.9.2 launched on November 29, 2024. There’s at present no patch out there.
The web site safety firm stated the problem lies in a operate named “tinvwl_upload_file_wc_fields_factory,” which, in flip, makes use of one other native WordPress operate “wp_handle_upload” to carry out the validation, however units the override parameters “test_form” and “test_type” to “false.”
The “test_type” override is used to examine whether or not the Multipurpose Web Mail Extension (MIME) sort of the file is as anticipated, whereas “test_form” is to examine to confirm if the $_POST[‘action’] parameter is as anticipated.
In setting “test_type” to false, it permits the file sort validation to be successfully bypassed, thereby permitting any file sort to be uploaded.
That having stated, the susceptible operate is accessible by way of tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, that are solely out there when the WC Fields Manufacturing facility plugin is lively.
This additionally implies that profitable exploitation is simply potential if the WC Fields Manufacturing facility plugin is put in and activated on the WordPress website and the combination is enabled on the TI WooCommerce Wishlist plugin.
In a hypothetical assault state of affairs, a menace actor may add a malicious PHP file and obtain distant code execution (RCE) by instantly accessing the uploaded file.
Plugin builders are advisable to take away or keep away from setting ‘test_type’ => false when utilizing wp_handle_upload(). Within the absence of a patch, customers of the plugin are urged to deactivate and delete it from their websites.
