No patch in sight: WordPress websites with TI WooCommerce Wishlist vulnerable
A critical vulnerability with the highest rating threatens WordPress websites with the TI WooCommerce Wishlist plug-in.
(Image: David MG / Shutterstock.com)
If the WordPress plug-in TI WooCommerce Wishlist is installed, attackers can upload malicious code and compromise websites with comparatively little effort. No security update is yet available. However, WordPress installations can only be attacked under certain conditions.
Dangerous vulnerability
The vulnerability (CVE-2025-47577) is classified as "critical" with the highest possible CVSS score of 10 out of 10. The vulnerability was discovered by security researchers from Patchstack. According to their report, however, websites are only vulnerable if the WooCommerce extension WC Fields Factory is active and linked to TI WooCommerce Wishlist.
Videos by heise
If this is the case, attackers can use the defective upload function tinvwl_upload_file_wc_fields_factory and bypass the file check with the specification 'test_type' => false to upload and execute their own code. This can be done remotely by uploading a prepared PHP file, for example. According to the security researchers, they have not observed any attacks to date.
100,000 websites potentially under threat
The plug-in's website states that it has more than 100,000 active installations. All versions up to and including the current version 2.9.2 are said to be affected by the vulnerability. The security researchers state that they contacted the developers at the end of March this year. So far, they have not received any feedback. It therefore remains unclear when a security update will be released. Admins should deactivate the plug-in for security reasons until a patch is released.
(des)
