More than 100,000 WordPress sites could be breached in attacks involving the yet to be patched maximum severity unauthenticated file upload vulnerability in the TI WooCommerce Wishlist plugin, reports GBHackers News.
Such a flaw, tracked as CVE-2025-47577, originates from lapses within the 'integrations/wc-fields-factory.php' file's 'tinvml_upload_file_wc_fields_factory' functionality, which allowed the plugin to deactivate security measures against the execution of unwanted files that could enable remote code execution, according to an analysis from Patchstack. Malicious actors could then leverage the 'tinvwl_meta_wc_fields_factory' or 'tinvwl_cart_meta_wc_fields_factory' functions to facilitate unauthenticated exploitation of the plugin defect, enabling server infiltration, data theft, or operational disruptions. Organizations with WooCommerce stores have been urged to not only deactivate and uninstall the TI WooCommerce Wishlist plugin but also conduct security audits and obtain enterprise API services to mitigate potential attacks. Immediate patching has also been recommended upon the release of a security fix.
Such a flaw, tracked as CVE-2025-47577, originates from lapses within the 'integrations/wc-fields-factory.php' file's 'tinvml_upload_file_wc_fields_factory' functionality, which allowed the plugin to deactivate security measures against the execution of unwanted files that could enable remote code execution, according to an analysis from Patchstack. Malicious actors could then leverage the 'tinvwl_meta_wc_fields_factory' or 'tinvwl_cart_meta_wc_fields_factory' functions to facilitate unauthenticated exploitation of the plugin defect, enabling server infiltration, data theft, or operational disruptions. Organizations with WooCommerce stores have been urged to not only deactivate and uninstall the TI WooCommerce Wishlist plugin but also conduct security audits and obtain enterprise API services to mitigate potential attacks. Immediate patching has also been recommended upon the release of a security fix.
