Critical Security Flaw in TI WooCommerce Wishlist Plugin
Overview of the Vulnerability
Cybersecurity experts have identified a serious security vulnerability in the TI WooCommerce Wishlist plugin for WordPress, which impacts over 100,000 active installations. This flaw could allow unauthenticated attackers to upload arbitrary files onto servers using this popular e-commerce tool.
What is the TI WooCommerce Wishlist Plugin?
The TI WooCommerce Wishlist plugin helps users save their favorite products for future purchase and share these lists on social media. Given its utility for online shoppers, the plugin has become a staple for many WooCommerce sites, but this recent discovery has raised significant concerns regarding site security.
Details of the Vulnerability
The vulnerability, designated as CVE-2025-47577, has been assigned a maximum CVSS score of 10.0, indicating its critical nature. It affects all plugin versions up to and including 2.9.2, the last update being released on November 29, 2024. As of now, no patch is available to resolve this issue.
Mechanics of the Flaw
The root cause of this vulnerability lies within a function called tinvwl_upload_file_wc_fields_factory. This function incorrectly utilizes WordPress’s native wp_handle_upload method, ignoring the necessary validation checks. Specifically, the parameters test_form and test_type have been set to false, which creates a loophole and renders file type validation ineffective. Consequently, attackers can upload any file type, including potentially harmful scripts.
The test_type parameter was supposed to verify the MIME type of the uploaded file, while test_form was intended to confirm the expected $_POST['action'] parameter. By setting test_type to false, the plugin bypasses these essential checks entirely.
Conditions for Exploitation
It’s important to note that the ability to exploit this vulnerability depends on certain circumstances. The vulnerable functions can only be accessed if the WC Fields Factory plugin is active, and the integration with the TI WooCommerce Wishlist plugin is enabled. This means that successful attacks are contingent upon the presence of both plugins on the same WordPress site.
Potential Attack Scenarios
Should an attacker exploit this vulnerability, they could potentially upload a malicious PHP file. Once uploaded, they could achieve remote code execution (RCE), enabling further unauthorized actions on the server. This would pose a significant threat to any site using the affected plugin, compromising sensitive data and site integrity.
Recommendations for Users and Developers
Given the severity of this vulnerability and the lack of available patches, site administrators using the TI WooCommerce Wishlist plugin are strongly advised to take immediate action. Developers should refrain from using test_type set to false in conjunction with wp_handle_upload().
User Actions
For current users of the plugin, it is recommended to deactivate and uninstall the plugin until a fix can be determined. This will help protect the site’s security in the interim.
Regularly checking for updates from the plugin developers will also be crucial, as they navigate this issue and work towards releasing a patch.
Conclusion
This vulnerability serves as a critical reminder for all WordPress site owners to maintain vigilance regarding plugin security. Regular updates, prompt response to security advisories, and proactive measures can help mitigate the risk of exploitation and protect valuable online assets.
Stay informed by following cybersecurity news channels and ensuring all installed plugins are up to date with the latest security standards.
