Critical Flaw in Popular WordPress Plugin Puts 100,000+ Sites at Risk of Takeover

A newly discovered critical vulnerability in a widely used WordPress plugin is putting over 100,000 websites—mainly e-commerce stores—at serious risk of exploitation, including complete site takeovers.

Security experts at Patchstack revealed that the TI WooCommerce Wishlist plugin contains a zero-authentication arbitrary file upload flaw. This allows unauthenticated attackers to upload malicious files directly to the server, potentially enabling full access and control over the website.

The flaw is officially tracked as CVE-2025-47577 and has been assigned a perfect severity score of 10.0 on the CVSS scale, indicating its extremely high risk.

The plugin, an extension designed for WooCommerce stores to let customers save and share wishlists, is active on more than 100,000 WordPress websites, significantly widening the attack surface. Many of these are live e-commerce platforms that handle sensitive customer data and payments, increasing the severity of a potential breach.

To make matters worse, the vulnerability remains unpatched. The plugin’s latest version is 2.9.2, which was last updated six months ago. Security professionals are currently advising users to disable or remove the plugin immediately until a secure update is made available.

There’s a silver lining: the vulnerability can only be exploited if the “WC Fields Factory” plugin is also installed and its integration is enabled within the TI WooCommerce Wishlist plugin. WC Fields Factory is used to add custom fields to WooCommerce product pages and forms, offering features like role-based access control and dynamic pricing.

As of now, developers have not announced a timeline for a fix. WordPress site owners are encouraged to check their installations, remove affected plugins, and keep a close watch for any unusual activity.