• A flaw in TI WooCommerce Wishlist allows threat actors to upload arbitrary files
• Since the files can be malicious, they could fully take over a website
• A patch is not yet released, so users should take care

A critical-severity vulnerability in a popular WordPress plugin is possibly exposing hundreds of thousands of websites to different risks, including complete website takeover.

Security researchers from Patchstack have claimed TI WooCommerce Wishlist carried an arbitrary file upload flaw, which allowed actors to upload malicious files to the underlying server without authentication.

The vulnerability is now tracked as CVE-2025-47577, and has a severity score of 10/10 (critical).

Reading the calendar

The TI WooCommerce Wishlist plugin is an extension for WooCommerce stores that allows users to create and manage wishlists, saving and sharing their favorite products.

Besides the social sharing options, the plugin comes with AJAX-based functionality, multiple wishlist support in the premium version, email notifications, and more.

According to The Hacker News, it has more than 100,000 active installations, meaning that the potential attack surface is rather large. To make matters worse, these are e-commerce sites, where visitors usually come to spend money, further compounding the risk.

At press time, the newest version of the plugin is 2.9.2, last updated six months ago. Since the patch has not yet been released, users who fear an attack are advised to disable and remove the plugin until a fix is released.

The silver lining here is that successful exploitation is only possible on websites that also have the WC Fields Factory plugin installed and running, and the integration is enabled on the TI WooCommerce Wishlist plugin.

WC Fields Factory is a free WooCommerce plugin that allows store owners to add custom fields to product pages, variations, checkout forms, and the WordPress admin interface.

It supports different field types such as text, number, email, date picker, and more. The plugin allows for dynamic pricing adjustments based on field inputs, field visibility rules, and role-based access controls, as well, and it offers a drag-and-drop form designer.

You might also like

• Top WordPress plugins found to have some serious security flaws, so make sure you’re protected
• Take a look at our guide to the best authenticator app
• We’ve rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.