Cybersecurity researchers have revealed a critical unwavering lack of security that affects the WooCommerce Wishlist plugin for WordPress, which can be used by unauthorized attackers to download arbitrary files.
Ti WooCommerce Wishlist that is over 100 000 active installationsThis is a tool that allows e -commerce customers to save their favorite products for further and share the social media platforms lists.
“Plugin vulnerable to vulnerability arbitrary files that allow the attackers to download malicious files to the server without authentic – Note.
The vulnerability, which is monitored as CVE-2025-47577, vulnerably carried CVSS 10.0. This affects all versions of the plugin below and, including 2.9.2, released on November 29, 2024. There is currently no patch.
Web -Saite Security Company noted that the problem is a feature called “tinvwl_uplood_file_wc_fields_factory”, which in turn uses another WordPress family function “wp_handle_upload“To carry out the check, but sets over the” Test_form “and” Test_type “option on” False “.
Realized “Test_type” is used to check whether it was possible to check the multifunctional Internet expansion (MIME) is expected while “test_form” – check if the parameter is $ _post (“action”) as expected.
When setting up “Test_type” to False, it allows you to effectively bypass the file type check that allows you to download any file type.
In this case, the vulnerable feature is available using tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, which are only available when the WC Fields plugin.
It also means that successful operation is possible only if the WC Fields plugin is installed and activated on WordPress, and integration is included in the WooCommerce Wishing plugin.
In a hypothetical attack scenario, the threatening actor can upload the malicious PHP file and reach the remote code (RCE) by accessing the downloaded file.
Developers of plugins are recommended to remove or avoid settings ‘test_type’ => false when using wp_handle_upload (). In the absence of a patch, the users call for deactivate and delete the plugin from their sites.
