Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes Over 100,000 WordPress Sites
Vulnerabilities
Researchers from Patchstack have disclosed CVE-2025-47577, a critical vulnerability (CVSS 10) in the TI WooCommerce Wishlist plugin, which is used by more than 100,000 WordPress sites. This vulnerability allows an unauthenticated attacker to upload arbitrary files and achieve remote code execution (RCE). The issue stems from the tinvwl_upload_file_wc_fields_factory function.