Cybersecurity researchers have disclosed important hidden security flaws affecting WordPress Ti Woocommerce Wishlist plugins that can be exploited by unrecognized attackers to upload any file.
With over 100,000 active installations, Ti WooCommerce Wishlist is a tool that enables e-commerce website customers to save their favorite products later and share their lists on social media platforms.
“The plug-ins are vulnerable to any file upload vulnerability that allows an attacker to upload malicious files to a server without authentication,” said John Castro, a researcher at PatchStack.
Tracked as CVE-2025-47577, the vulnerability has a CVSS score of 10.0. This affects all versions of the following plugins, including 2.9.2, released on November 29, 2024: There are no patches at the moment.
The website security company said the issue lies in a function named “Tinvwl_upload_file_wc_fields_factory”.
Use the “test_type” override to check if the file’s Multipurpose Internet Mail Extension (MIME) type is as expected, and “test_form” checks if the $_post(‘action’) parameter is as expected.
Setting “test_type” to false will effectively bypass file type verification and allow you to upload file types.
That being said, vulnerable functions can be accessed via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory.
This also means that successful exploitation is possible only if the WC Fields Factory plugin is installed and activated on your WordPress site and integration is enabled on the Ti WooCommerce Wishlist plugin.
In a hypothetical attack scenario, a threat actor can upload a malicious PHP file and directly access the uploaded file to achieve Remote Code Execution (RCE).
Plugin developers recommend that you remove or avoid the ‘test_type’ => false setting when using wp_handle_upload(). If there is no patch, plugin users will be prompted to disable and remove it from the site.
