Do you ever find yourself casually scrolling through online stores, just like I do? It’s my go-to thing when I have a little free time—browsing, checking out new products, and building a wishlist that grows longer every day. And yes, eventually, some of those “just looking” items end up in my cart.
But imagine this: what if this innocent-looking tool secretly held a dangerous flaw, a hidden trap waiting for an attacker?
In the vast landscape of WordPress plugins, the TI WooCommerce Wishlist plugin stands out as a favorite among e-commerce site owners. With over 100,000 active installations, it allows customers to create wishlists, enhancing their shopping experience. However, beneath its user-friendly facade lurked a critical vulnerability that remained unpatched, leaving countless websites exposed to potential attacks.
WordPress plugin vulnerabilities are nothing new. In fact, we recently published a news article about fake Anti-Malware WordPress plugin designed to trick users into installing malware. Did you get a chance to read that one?
Introduction
On March 26, 2025, security researcher John Castro from Patchstack identified a severe security flaw in the TI WooCommerce Wishlist plugin. They recently uncovered a critical, unpatched vulnerability in a popular WordPress plugin called TI WooCommerce Wishlist, which is used by over 100,000 online stores.
The Plot Thickens: A Backdoor for Bad Actors
The “TI WooCommerce Wishlist” plugin, as its name suggests, helps store owners add handy wishlist features for their customers. But according to the findings by Patchstack, a severe “arbitrary file upload” vulnerability exists in its latest version (2.9.2) and earlier.
In simple terms, this flaw acts like an unauthorized back door. It allows an attacker to upload any type of file they want onto a website, even dangerous ones, without needing to log in or prove who they are.
The root of the issue lay in the tinvwl_upload_file_wc_fields_factory function, which utilized WordPress’s wp_handle_upload function with the ‘test_type’ parameter set to false. This configuration bypassed file type validation, enabling attackers to upload malicious files, including executable PHP scripts.
The Exploitation Path
Patchstack’s investigation, detailed in their original article, revealed that the problem lies in a specific function within the plugin. Normally, WordPress has safeguards to check what kind of files are being uploaded, ensuring only safe ones (like images) get through. However, this plugin accidentally bypassed that crucial security check, opening the door for malicious PHP files – which are essentially small programs that can run on the server – to be uploaded.
The real danger comes if another plugin, “WC Fields Factory,” is also active and integrated with the wishlist plugin. If these conditions are met, an attacker could upload a harmful file and then remotely execute code on the server, potentially taking full control of the website. This is what’s known as Remote Code Execution (RCE) – a very serious threat.
The vulnerable function was accessible via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, but only when the WC Fields Factory plugin was active. An attacker could exploit this vulnerability by uploading a malicious PHP file and then accessing it directly, leading to remote code execution on the server.
The Silence: No Patch Yet
As of Patchstack’s report on May 27, 2025, there is no official patch or fix available for this vulnerability. This means that stores using the “TI WooCommerce Wishlist” plugin are currently exposed to this risk.
Patchstack’s timeline shows they discovered the vulnerability on March 26, 2025, and tried to notify the plugin vendor. After no response by May 16, 2025, they responsibly disclosed the vulnerability to their database and then publicly released the security advisory on May 27, 2025, to warn the community.
The Mitigation
If you are a WooCommerce store owner using the “TI WooCommerce Wishlist” plugin, Patchstack strongly advises deactivating and deleting the plugin immediately. Until a patched version is released, this is the safest course of action.
This incident underscored the importance of rigorous input validation and adherence to security best practices in plugin development. Specifically, developers should avoid setting ‘test_type’ => false when using wp_handle_upload(), ensuring that only safe file types are accepted during the upload process.
Warnings from the Past
This latest unpatched vulnerability isn’t an isolated incident for the TI WooCommerce Wishlist plugin; it’s part of a worrying pattern. This plugin has a documented history of severe security problems.
For example, in September 2024, a SQL injection vulnerability (CVE-2024-9156) was found, allowing unauthenticated users to execute arbitrary SQL queries on the WordPress site’s database. Alarmingly, no patch was available at the time of discovery.
Even earlier, in October 2020, a critical zero-day vulnerability was identified. This flaw let authenticated users modify the WordPress options table and was actively exploited in the wild.
Do you use Google Meet a lot for work meetings? If yes, be careful. We found a fake Google Meet page that’s being used in a scam. You should definitely read about it, it’s important to stay safe online.
Last Words Before You Go
The discovery by Patchstack and John Castro underscores the ongoing battle against cyber threats and the vital role of security researchers. Making the internet a safer place, especially for platforms like WordPress that power so many websites, requires a collective effort from developers, security experts, and users alike. Staying informed and taking prompt action are our best defenses.
But, why worry for cybersecurity updates when MalVirus is here!