Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

The Hacker News by The Hacker News
May 29, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


May 29, 2025Ravie LakshmananVulnerability / Website Security

Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.

TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social media platforms.

“The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication,” Patchstack researcher John Castro said.

Tracked as CVE-2025-47577, the vulnerability carries a CVSS score of 10.0. It affects all versions of the plugin below and including 2.9.2 released on November 29, 2024. There is currently no patch available.

The website security company said the issue lies in a function named “tinvwl_upload_file_wc_fields_factory,” which, in turn, uses another native WordPress function “wp_handle_upload” to perform the validation, but sets the override parameters “test_form” and “test_type” to “false.”

Cybersecurity

The “test_type” override is used to check whether the Multipurpose Internet Mail Extension (MIME) type of the file is as expected, while “test_form” is to check to verify if the $_POST[‘action’] parameter is as expected.

In setting “test_type” to false, it allows the file type validation to be effectively bypassed, thereby allowing any file type to be uploaded.

That having said, the vulnerable function is accessible via tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory, which are only available when the WC Fields Factory plugin is active.

This also means that successful exploitation is only possible if the WC Fields Factory plugin is installed and activated on the WordPress site and the integration is enabled on the TI WooCommerce Wishlist plugin.

In a hypothetical attack scenario, a threat actor could upload a malicious PHP file and achieve remote code execution (RCE) by directly accessing the uploaded file.

Plugin developers are recommended to remove or avoid setting ‘test_type’ => false when using wp_handle_upload(). In the absence of a patch, users of the plugin are urged to deactivate and delete the plugin from their sites.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations

Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations

Recommended.

How CIOs can rebuild IT operating models for the AI era

How CIOs can rebuild IT operating models for the AI era

July 14, 2025
Triller CEO Sean Kim to Unveil Industry-Changing Innovations & Creator Economy Trend Forecast at Web Summit Qatar 2025

Triller CEO Sean Kim to Unveil Industry-Changing Innovations & Creator Economy Trend Forecast at Web Summit Qatar 2025

February 17, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio