WordPress Plugin Vulnerabilities

TI WooCommerce Wishlist < 2.10.0 - Unauthenticated Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
ti-woocommerce-wishlist
Fixed in 2.10.0

References

CVE
CVE-2025-47577
URL
https://patchstack.com/database/wordpress/plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-2-9-2-arbitrary-file-upload-vulnerability

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
4a919840-6d2a-4dff-931e-4a0ee31a5424

Timeline

Publicly Published
2025-05-16 (about 11 months ago)
Added
2025-05-21 (about 11 months ago)
Last Updated
2026-04-30 (about 13 days ago)

Other

Published
Title
Published
2025-10-23
Title
AIO Forms < 1.3.19 - Authenticated (Admin+) Arbitrary File Upload via Zip Import
Published
2025-10-14
Title
Flex QR Code Generator < 1.2.6 - Unauthenticated Arbitrary File Upload
Published
2025-07-03
Title
VikRentCar Car Rental Management System < 1.4.4 - Authenticated (Administrator+) Arbitrary File Upload
Published
2021-06-01
Title
Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and RCE
Published
2024-10-17
Title
Property Lot Management System <= 1.0 - Authenticated (Salesman+) Arbitrary File Upload