- A flaw in TI WOOCOMmerce Wishlist allows threat actors to download arbitrary files
- Since the files can be malicious, they may well resume a website
- A corrective is not yet released, so users must take care
A vulnerability of critical severity in a popular WordPress plugin perhaps expose hundreds of thousands of websites at different risk, including full control of the website.
Patchstack safety researchers said Ti Woocommerce Wishlist has won a fault to download arbitrary files, which allowed actors to download malware to the underlying server without authentication.
Vulnerability is now followed under the name of CVE-2025-47577 and has a gravity score of 10/10 (critic).
Read the calendar
The Ti Woocommerce Wishlist plugin is an extension for WooCommerce stores which allows users to create and manage wishes, save and share their favorite products.
In addition to social sharing options, the plugin is delivered with AJAX-based features, support for several wishes in the premium version, email notifications, etc.
According to The Hacker NewsIt has more than 100,000 active installations, which means that the potential attack surface is quite large. To make things worse, these are electronic commerce sites, where visitors usually come to spend money, which aggravates the risk more.
At the time of the press, the latest version of the plugin is 2.9.2, the last update six months ago. Since the fix has not yet been released, users who fear an attack are invited to deactivate and remove the plugin until the release of a fix.
The silver lining here is that successful exploitation is only possible on websites which also have the WC Fields Factory plugin installed and executed, and integration is activated on the Ti Woocommerce Wishlist plugin.
WC Fields Factory is a free woocommerce plugin that allows store owners to add personalized fields to product pages, variations, payment forms and the WordPress administration interface.
It supports different types of fields such as text, number, email, date selector, etc. The plugin allows dynamic price adjustments according to field inputs, field visibility rules and roles-based access controls, and it offers a drag-drop form designer.
