CVE-2025-47577

Name of the Vulnerable Software and Affected Versions TI WooCommerce Wishlist versions prior to 2.9.2

Description The issue is related to an unrestricted upload of files with dangerous types in the TI WooCommerce Wishlist plugin, allowing attackers to upload malicious files to the server without authentication. This can lead to remote code execution. The vulnerability affects over 100,000 WordPress sites. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 2.9.2, consider deactivating the plugin and removing it from your site until a patch is available. As a temporary workaround, avoid using the tinvwl upload file wc fields factory function and the wp handle upload function with the test type parameter set to false. Restrict access to the tinvwl meta wc fields factory and tinvwl cart meta wc fields factory functions, which are accessible only when the WC Fields Factory plugin is active. At the moment, there is no information about a newer version that contains a fix for this vulnerability.