This blog post is about an unauthenticated arbitrary file upload in the TI WooCommerce Wishlist plugin. If you're a TI WooCommerce Wishlist user, deactivate and delete the plugin since there is no patched version available.
All paid Patchstack users are protected from this vulnerability. Sign up for the free Community account first, to scan for vulnerabilities and apply protection for only $5 / site per month with Patchstack. For plugin developers, we have security audit services and Enterprise API for hosting companies.
About TI WooCommerce Wishlist plugin
The plugin TI WooCommerce Wishlist, which has over 100,000 active installations, allows WooCommerce store owners to add wishlist functionality to their shops. The plugin can also integrate with other WooCommerce extensions such as WC Fields Factory to enable custom fields and enhanced forms.
The security vulnerability
In the latest version (2.9.2 as of writing the article) and below, the plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication. The vulnerability is unpatched on the latest version and is tracked as the CVE-2025-47577.
The root of the issue lies in the tinvwl_upload_file_wc_fields_factory function:
function tinvwl_upload_file_wc_fields_factory( $file ) {
if ( ! function_exists( 'wp_handle_upload' ) ) {
require_once( ABSPATH . 'wp-admin/includes/file.php' );
}
$upload = wp_handle_upload(
$file,
[
'test_form' => false,
'test_type' => false,
]
);
return $upload;
}This function utilizes WordPress’s wp_handle_upload, which normally performs file type validation. However, by explicitly setting 'test_type' => false, this validation is bypassed, allowing any file type (including executable PHP files) to be uploaded. Using an empty string ('') for 'test_type' would also bypass validation, although we have not observed any real-world usage of that variant in this case.
The vulnerable function is accessible via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, which are only available when the WC Fields Factory plugin is active.
A typical attack involves uploading a malicious PHP file, allowing the attacker to then trigger remote code execution (RCE) by directly accessing the uploaded file.
Note that the vulnerability is only exploitable if the WC Fields Factory plugin is activated and the integration is enabled on the TI WooCommerce Wishlist plugin.
The patch
As of writing this article, there is no patched version for the plugin. If the vulnerability gets patched in the near future, we will update the article with the patch information and patched version.
Conclusion
To address the vulnerability, plugin developers should immediately remove or avoid setting 'test_type' => false when using wp_handle_upload().
This ensures that only safe file types (such as images or documents) are accepted during the upload process, preserving WordPress’s default security behavior.
Want to learn more about finding and fixing vulnerabilities?
Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.
Timeline
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
