Arbitrary File Upload Vulnerability in TI WooCommerce Wishlist by TemplateInvaders
CVE-2025-47577

10CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
19 May 2025

Badges

📈 Score: 1,070👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-47577?

CVE-2025-47577 is an arbitrary file upload vulnerability found in the TI WooCommerce Wishlist plugin developed by TemplateInvaders for WordPress. This plugin is designed to enhance the WooCommerce experience by allowing users to create and manage wishlists. The vulnerability arises from an improper handling of file uploads, which enables malicious actors to upload files with potentially dangerous types, including web shells. By exploiting this weakness, attackers can gain unauthorized access to the web server hosting the application, which may lead to further compromising of the entire website. Organizations using this plugin are at significant risk, especially those without robust security measures in place to monitor and control file uploads.

Potential impact of CVE-2025-47577

  1. Remote Code Execution: Attackers can upload web shells or other executable files, giving them control over the server and enabling them to execute arbitrary commands remotely, which can lead to complete takeover of the web application.

  2. Data Breach Risk: With the ability to execute code on the server, attackers can access sensitive data stored in databases, potentially leading to the exfiltration of customer information, payment details, and other confidential business data.

  3. Defacement and Service Disruption: The exploitation of this vulnerability may allow attackers to alter the website's content or take down the service entirely, damaging the organization’s reputation and disrupting service for users, resulting in potential loss of revenue.

Affected Version(s)

TI WooCommerce Wishlist < 2.10.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

CVE-2025-47577 flaw in TI WooCommerce Wishlist lets unauthenticated attackers upload malicious files—no patch yet, 100K+ sites at risk.

1 week ago

Wordpress TI WooCommerce Wishlist Plugin Vulnerability Exposes 100,000+ Websites To Cyberattack

CVE-2025-47577 in TI WooCommerce Wishlist plugin lets attackers upload files unauthenticated, risking 100K+ WordPress sites (CVSS 10).

2 weeks ago

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CybersecurityNews

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rafie Muhammad (Patchstack)
.
CVE-2025-47577 : Arbitrary File Upload Vulnerability in TI WooCommerce Wishlist by TemplateInvaders