A significant security concern has emerged for WordPress-based e-commerce websites, particularly those using the popular ‘Ti WooCommerce Wishlist’ plugin. A recent alert highlighted by TechRadar informs website owners of a critical vulnerability, rated 10/10 (CVE-2025-47577), discovered by researchers from Patchstack. This flaw poses a serious risk, potentially allowing attackers to gain full control of affected websites.
The TI WooCommerce Wishlist plugin, which boasts over 100,000 active installations, is widely used to help customers create and manage wishlists on WooCommerce stores. However, the vulnerability enables malicious users to upload arbitrary files to the server without any authentication. This compromises the site’s security and could lead to the installation of malware, theft of sensitive data, or even total data loss—risks that are especially alarming for e-commerce sites handling payment information and customer details.
Compounding the issue is the fact that the latest version of the TI WooCommerce Wishlist plugin (2.9.2) has not been updated in six months, and there is currently no official patch available to address this critical vulnerability. As a precaution, security experts strongly advise website administrators to disable and remove the plugin until a fix is provided.
It’s important to note that successful exploitation of this vulnerability seems to require the simultaneous presence of the ‘WC Fields Factory’ plugin, also free for WooCommerce, which is used to add custom fields on products and checkout pages. Despite this caveat, the severity rating of 10/10 necessitates immediate action; administrators should proactively remove this plugin to mitigate potential risks. Users are encouraged to stay informed by closely monitoring updates from Patchstack and the broader WordPress community regarding any forthcoming patches.