- An error in ten Woocommerce Wishlist allows threat actors to upload arbitrary files
- Since the files may be malicious, they could fully overtake an site
- A patch is not yet released so users have to fit
A vulnerability of critical difficulty in a popular WordPress plugin may reveal hundreds of thousands of sites for various risks, including complete takeover of sites.
Patchstack security researchers have claimed that ten Woocommerce wish list had an arbitrary file upload errors that enabled actors to upload malicious files to the underlying server without approval.
Vulnerability is now traced as CVE-2025-47577 and has a severity of 10/10 (critical).
Reading the calendar
Ten Woocommerce Wishlist -Plugin is an extension to WOOCOMMERCE stores that allow users to create and manage wish lists, store and share their favorite products.
In addition to the social sharing options, plugin comes with AJAX-based functionality, Multiple Wishlist support in the Premium version, email messages and more.
According to Hacker the newsIt has more than 100,000 active installations, which means that the potential attacking surface is quite large. To make things worse, these are e-commerce sites where visitors usually come to spend money, which further aggravates the risk.
At the time of the press, the latest version of the plugin is 2.9.2, last updated six months ago. As the patch has not yet been released, users who fear an attack are advised to disable and remove plugin until a solution is released.
The silver lining here is that successful utilization is only possible on sites that also have WC Fields Factory -plugin installed and run, and the integration is enabled on ten Woocommerce Wishlist plugin.
WC FIELDS FACTORY is a free WOOCOMMERCE plugin that allows store lovers to add custom fields to product pages, variations, checkout forms and WordPress admin interface.
It supports different field types such as text, number, e -mail, date selector and more. Plugin allows for dynamic price adjustments based on field inputs, field visibility rules and role-based access controls, and it offers a drag-and-slip form designer.
