A critical unauthenticated file upload flaw in the TI WooCommerce Wishlist plugin, tracked as CVE-2025-47577, remains unpatched leaving over 100,000 WordPress e-commerce sites exposed to remote code execution (RCE) attacks
On 27 May 2025, Patchstack published a security advisory revealing a zero-day vulnerability in the TI WooCommerce Wishlist plugin, a popular WooCommerce extension with 100,000+ active installations. This flaw enables unauthenticated attackers to upload arbitrary files, potentially leading to full remote code execution (RCE) on vulnerable servers. As of now, no patch is available, and users are urged to uninstall the plugin immediately.
Timeline of Events
Initial Discovery and Disclosure
- 26 March 2025: The vulnerability was discovered by Patchstack researchers during routine plugin security analysis.
- Vendor Notification Attempted: Patchstack notified the plugin developer, but received no response.
- 16 May 2025: With no vendor response and no fix, the issue was added to the Patchstack vulnerability database.
- 27 May 2025: A public advisory was released to alert users of the unpatched risk.
Technical Details: CVE-2025-47577
The vulnerability lies in the tinvwl_upload_file_wc_fields_factory() function located in the plugin’s integration with WC Fields Factory. Specifically:
$upload = wp_handle_upload(
$file,
[
'test_form' => false,
'test_type' => false,
]
);
Setting 'test_type' => false disables file type validation, allowing attackers to upload any file type, including malicious PHP scripts.
⚠️ Exploitation requires both TI WooCommerce Wishlist and WC Fields Factory to be active with integration enabled.
Once a malicious PHP file is uploaded, attackers can access it remotely and execute arbitrary commands, leading to full server compromise.
Global & MEA Perspective
Middle East & Africa (MEA) Risk Outlook
In MEA markets, WordPress is widely adopted due to its low cost and extensibility. Many small-to-medium enterprises (SMEs), especially in the e-commerce and retail sectors, rely heavily on plugins like TI WooCommerce Wishlist to power shopping functionalities.
With limited DevSecOps resources and delayed patch management cycles, such zero-days pose a high threat to regional operators, especially in markets with emerging data protection laws like Nigeria’s NDPR or Saudi Arabia’s PDPL.
“This kind of vulnerability is a textbook case for automated bot exploitation across the Global South, where security hardening is often not prioritized,” says Mohammed A. Khalid, a Dubai-based WordPress security expert.
International Impact and Regulation
In Europe, such flaws would fall under the GDPR’s breach notification requirements if exploitation leads to personal data compromise. In the U.S., depending on the affected data, FTC or state breach laws might apply.
“Site owners who handle customer data must treat this as a potential data breach, even if they see no obvious signs of exploitation,” warned cybersecurity attorney Rachel Goldsmith, referencing GDPR Article 33 obligations.
MITRE ATT&CK Mapping & IOC Summary
Tactics & Techniques:
| Tactic | Technique |
|---|---|
| Initial Access | [T1190] Exploit Public-Facing Application |
| Execution | [T1059.003] Command and Scripting Interpreter (PHP) |
| Persistence | [T1505.003] Web Shell |
Indicators of Compromise (IOCs):
- Files in
/wp-content/uploads/wishlist/with.phpextension - Unexpected HTTP requests to uploaded
.phpfiles - Log entries indicating access from suspicious IPs or bots
- Abnormal CPU or memory usage due to background scripts
Expert Quotes
“The real danger is the ease of exploitation—there’s no login required, and the file upload logic is already integrated,” said Robert Rowley, Security Advocate at Patchstack.
“Admins often underestimate how quickly a zero-day like this can be weaponized. The moment it hits the news, scanners and bots are updated within hours,” added Nina Al-Maktoum, CTO at InfosecMEA, a leading Middle East security firm.
Actionable Takeaways for Security Teams
- Immediately deactivate and remove the TI WooCommerce Wishlist plugin.
- Audit all recent uploads under
/wp-content/uploads/for malicious PHP or unknown files. - Check server logs for access to unusual file paths or
.phpfiles in the uploads directory. - Use a web application firewall (WAF) to monitor and block suspicious POST requests.
- Scan your site with tools like Patchstack or Wordfence.
- Update all plugins and themes to their latest versions, especially those related to WooCommerce.
- Disable plugin integrations not actively in use to reduce attack surface.
- Conduct regular vulnerability scans and consider managed security services.
- Train development and admin staff on cybersecurity awareness, especially around file upload risks.
- Monitor the vendor’s website or WordPress plugin repo for any future patch announcements.
Conclusion
This zero-day in the TI WooCommerce Wishlist plugin underlines a recurring issue in the WordPress ecosystem: the high risk of plugin-based vulnerabilities, especially in widely-used but under-maintained add-ons. With no patch in sight, the only viable defense is immediate removal and a proactive threat-hunting response. MEA-based website operators should take special notice, given the regional reliance on open-source platforms and evolving regulatory pressure.
Organizations must treat plugin selection and maintenance as core parts of their cybersecurity strategy, not as afterthoughts. If this is the norm going forward, vulnerability management must evolve accordingly.
Sources
- Patchstack Advisory – CVE-2025-47577 (27 May 2025)
- Plugin Directory: TI WooCommerce Wishlist
- WordPress Plugin Handbook – File Uploads
- GDPR Article 33 – Notification of a personal data breach
- MITRE ATT&CK Framework
- Infosec MEA Regional News
- Rachel Goldsmith, Cyber Law Review
- Mohammed Khalid – LinkedIn
- Wordfence Vulnerability Scanne
