This blog post is about an unauthenticated arbitrary file upload in the TI WooCommerce Wishlist plugin. If you're a TI WooCommerce Wishlist user, please update the plugin to at least version 2.10.0 (Update: 5th June 2025).
All Patchstack users are protected from this vulnerability. For plugin developers, we have security audit services and Enterprise API for hosting companies.
About TI WooCommerce Wishlist plugin
The plugin TI WooCommerce Wishlist, which has over 100,000 active installations, allows WooCommerce store owners to add wishlist functionality to their shops. The plugin can also integrate with other WooCommerce extensions such as WC Fields Factory to enable custom fields and enhanced forms.
The security vulnerability
In version 2.9.2 and below, the plugin is vulnerable to an arbitrary file upload vulnerability, which allows attackers to upload malicious files to the server without authentication. The vulnerability is now patched in version 2.10.0 and is tracked with CVE-2025-47577.
The root of the issue lies in the tinvwl_upload_file_wc_fields_factory function:
function tinvwl_upload_file_wc_fields_factory( $file ) {
if ( ! function_exists( 'wp_handle_upload' ) ) {
require_once( ABSPATH . 'wp-admin/includes/file.php' );
}
$upload = wp_handle_upload(
$file,
[
'test_form' => false,
'test_type' => false,
]
);
return $upload;
}This function utilizes WordPress’s wp_handle_upload, which normally performs file type validation. However, by explicitly setting 'test_type' => false, this validation is bypassed, allowing any file type (including executable PHP files) to be uploaded. Using an empty string ('') for 'test_type' would also bypass validation, although we have not observed any real-world usage of that variant in this case.
The vulnerable function is accessible via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, which are only available when the WC Fields Factory plugin is active.
A typical attack involves uploading a malicious PHP file, allowing the attacker to then trigger remote code execution (RCE) by directly accessing the uploaded file.
Note that the vulnerability is only exploitable if the WC Fields Factory plugin is activated and the integration is enabled on the TI WooCommerce Wishlist plugin.
The patch
The vendor decided to remove the test_type parameter from the wp_handle_upload() process (Update: 5th June 2025). The patch can be seen here.
Conclusion
To address the vulnerability, plugin developers should immediately remove or avoid setting 'test_type' => false when using wp_handle_upload().
This ensures that only safe file types (such as images or documents) are accepted during the upload process, preserving WordPress’s default security behavior.
Want to learn more about finding and fixing vulnerabilities?
Explore our Academy to master the art of finding and patching vulnerabilities within the WordPress ecosystem. Dive deep into detailed guides on various vulnerability types, from discovery tactics for researchers to robust fixes for developers. Join us and contribute to our growing knowledge base.
Timeline
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
