31 May 2025
CVSS 10.0 in WooCommerce Wishlist: unauthenticated file upload threatens 100,000+ stores
Critical flaw CVE-2025-47577 (CVSS 10.0) in the TI WooCommerce Wishlist plugin allows unauthenticated file upload and full store takeover. Over 100,000 sites affected.
Researchers at Patchstack disclosed a critical security flaw in the popular WordPress plugin TI WooCommerce Wishlist, which has more than 100,000 active installations. The vulnerability carries the maximum possible severity — CVSS 10.0.
What it is
The flaw, tracked as CVE-2025-47577, allows unauthenticated arbitrary file upload to the server — no login required. It originates in the tinvwl_upload_file_wc_fields_factory function, which calls WordPress's built-in wp_handle_upload() but sets the test_form and test_type parameters to false. That disables the file-type (MIME) check, so any file type can be uploaded.
All versions up to and including 2.9.2 (released 29 November 2024) are affected. At the time of disclosure, 29 May 2025, no patch was available.
When exploitation is possible
The vulnerable function is only reachable if the WC Fields Factory plugin is also installed and active, with its Wishlist integration enabled. In that case an attacker can upload a malicious PHP file and, by accessing it directly, achieve remote code execution (RCE) — full control over the store.
What to do
With no patch available, Patchstack advises users to deactivate and delete the affected plugin. Developers are urged to avoid setting 'test_type' => false when using wp_handle_upload().
Our take. This is a textbook case for why WooCommerce stores need regular plugin security reviews. A single outdated plugin with a misconfigured upload handler is enough to take over an entire site. As part of our WordPress/WooCommerce security testing and maintenance, we audit installed plugins, their versions and known CVEs, and close vectors like this before someone else finds them.
Source: Patchstack (researcher John Castro); based on reporting by The Hacker News, 29 May 2025.