Date: 30 May 2025
A critical security flaw has been found in the TI WooCommerce Wishlist Plugin for WordPress. The vulnerability allows unauthenticated attackers to upload malicious files, potentially resulting in remote code execution and full website compromise.
Overview
This vulnerability stems from insufficient validation on file uploads. If exploited, attackers could install backdoors or web shells, granting complete control of the affected website. Over 100,000 sites are believed to be vulnerable.
CVE ID: CVE-2025-47577
Severity: Critical
Type: Unauthenticated File Upload / Remote Code Execution
Affected Versions: Up to and including version 2.9.2
Mitigation Steps
- Deactivate and remove the plugin immediately unless it is essential to your site.
- Regularly monitor upload directories for unfamiliar or suspicious files.
- Limit file upload permissions and implement security tools such as WAFs.
- Watch for vendor updates and apply any new patches once available.
Summary for Security Teams
- Product: TI WooCommerce Wishlist Plugin (WordPress)
- Threat Level: Critical
- Action: Immediate removal or upgrade required
Reference
Need Help?
If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.