Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47577

CVE-2025-47577: TI WooCommerce Wishlist RCE Vulnerability

CVE-2025-47577 is a remote code execution flaw in TI WooCommerce Wishlist allowing web shell uploads. Attackers can exploit unrestricted file uploads to execute malicious code. This article covers technical details and patches.

Updated:

CVE-2025-47577 Overview

CVE-2025-47577 is a critical Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) affecting the TI WooCommerce Wishlist WordPress plugin developed by TemplateInvaders. This vulnerability allows unauthenticated attackers to upload malicious files, including web shells, directly to a vulnerable web server. Successful exploitation grants attackers complete control over the affected WordPress installation and potentially the underlying server infrastructure.

The vulnerability exists in versions prior to 2.10.0 of the TI WooCommerce Wishlist plugin, which is widely used to add wishlist functionality to WooCommerce-powered e-commerce stores.

Critical Impact

Unauthenticated attackers can upload web shells to WordPress servers running vulnerable versions of TI WooCommerce Wishlist, leading to complete server compromise, data theft, and persistent backdoor access.

Affected Products

  • TI WooCommerce Wishlist versions before 2.10.0
  • WordPress installations with TI WooCommerce Wishlist plugin enabled
  • WooCommerce-powered e-commerce sites using the wishlist functionality

Discovery Timeline

  • 2025-05-19 - CVE-2025-47577 published to NVD
  • 2025-06-05 - Last updated in NVD database

Technical Details for CVE-2025-47577

Vulnerability Analysis

This vulnerability stems from inadequate file type validation in the TI WooCommerce Wishlist plugin's file upload functionality. The plugin fails to properly validate and restrict the types of files that can be uploaded through its interface, allowing attackers to bypass security controls and upload executable files such as PHP web shells.

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), which occurs when an application allows users to upload files without properly verifying that the file type is safe and expected. In this case, the plugin does not adequately check file extensions, MIME types, or file contents before allowing the upload to complete.

Root Cause

The root cause of CVE-2025-47577 is the absence of proper file type validation mechanisms in the plugin's upload handling code. Specifically, the plugin lacks:

  • Proper file extension whitelisting to restrict uploads to safe file types only
  • MIME type verification to ensure uploaded files match their claimed type
  • Content-based file validation to detect malicious payloads regardless of extension
  • Authentication requirements for the vulnerable upload endpoint

Without these safeguards, attackers can craft malicious requests that bypass any superficial checks and successfully upload executable PHP files to the web server's accessible directories.

Attack Vector

The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying a WordPress site running a vulnerable version of TI WooCommerce Wishlist
  2. Crafting a malicious HTTP request containing a PHP web shell payload
  3. Submitting the request to the vulnerable upload endpoint
  4. Accessing the uploaded web shell to execute arbitrary commands on the server

Once a web shell is uploaded, attackers gain the ability to execute arbitrary system commands, access sensitive files including WordPress configuration and database credentials, install persistent backdoors, modify site content, pivot to attack other systems on the network, and exfiltrate customer data from the WooCommerce store.

The attack requires no special privileges and can be executed remotely over the network, making it particularly dangerous for internet-facing WordPress installations.

Detection Methods for CVE-2025-47577

Indicators of Compromise

  • Unexpected PHP files appearing in WordPress upload directories (e.g., wp-content/uploads/)
  • Web server access logs showing requests to unfamiliar PHP files with suspicious query parameters
  • Unusual outbound network connections originating from the web server
  • Unexplained changes to WordPress core files or plugin files
  • New administrator accounts or modified user privileges in WordPress

Detection Strategies

  • Monitor file system integrity using tools that alert on new executable files in upload directories
  • Implement web application firewall (WAF) rules to detect and block web shell upload attempts
  • Review web server access logs for POST requests to plugin endpoints followed by GET requests to new PHP files
  • Deploy endpoint detection solutions that can identify known web shell signatures and behaviors
  • Conduct regular plugin version audits to identify outdated and vulnerable plugins

Monitoring Recommendations

  • Configure file integrity monitoring on all WordPress directories, especially wp-content/uploads/ and wp-content/plugins/
  • Set up alerts for any new .php, .phtml, or other executable file extensions in upload directories
  • Monitor for unusual process spawning from web server processes (e.g., Apache or Nginx spawning shell commands)
  • Implement network monitoring to detect command-and-control communications from compromised servers
  • Enable detailed logging for the TI WooCommerce Wishlist plugin and review for anomalous activity

How to Mitigate CVE-2025-47577

Immediate Actions Required

  • Update TI WooCommerce Wishlist to version 2.10.0 or later immediately
  • Audit WordPress upload directories for any suspicious or unexpected PHP files
  • Review web server access logs for signs of exploitation attempts
  • If compromise is suspected, isolate the affected server and perform forensic analysis
  • Consider temporarily disabling the TI WooCommerce Wishlist plugin until patching is complete

Patch Information

The vulnerability has been addressed in TI WooCommerce Wishlist version 2.10.0. Administrators should update to this version or later as soon as possible. The patch is available through the standard WordPress plugin update mechanism or by downloading the latest version from the official WordPress plugin repository.

For detailed vulnerability information and patch details, refer to the Patchstack security advisory.

Workarounds

  • Implement a web application firewall (WAF) with rules to block file upload attacks targeting the vulnerable endpoint
  • Configure web server settings to prevent PHP execution in upload directories using .htaccess rules or Nginx configuration
  • Restrict access to the WordPress admin area and plugin endpoints to trusted IP addresses only
  • Temporarily disable the TI WooCommerce Wishlist plugin until the patch can be applied
  • Implement file upload validation at the web server level to reject requests containing PHP content
bash
# Apache .htaccess configuration to prevent PHP execution in uploads directory
# Add this to wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|phar|shtml)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Alternative: Disable PHP entirely in uploads
php_flag engine off

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne