This Plugin Could Put 100,000 WooCommerce Sites at Risk

WooCommerce Security Flaw

There’s a new security flaw that could put hundreds of WooCommerce websites in danger. The issue lies in a popular plugin called TI WooCommerce Wishlist. Hundreds of online stores use this plug to allow customers to save items they want to buy later. The vulnerability was reported by Patchstack, which revealed that it could affect more than 100,000 websites.

The TI WooCommerce Wishlist, as the name suggests, adds wishlist functionality to online stores running WooCommerce. It can also integrate with other WooCommerce extensions like WC Fields Factory to enable custom fields and improved forms.

According to Patchstack, the vulnerability stems from a function that disables WordPress’s built-in file type checks. This allows attackers to upload potentially dangerous file types, including PHP scripts, which can then be executed to take control of the site.

The exploit only becomes active when the WC Fields Factory plugin is installed and integrated with TI WooCommerce Wishlist. But still posing a serious threat to any site meeting those conditions.

The vulnerability has been assigned the identifier CVE-2025-47577. As of now, the plugin’s developers have not released a fix. So, until there’s a fix, users are advised to delete the plugin immediately and monitor their sites for any suspicious activity.  

However, with the rise of cyber attacks on websites. It’s better to be cautious while installing new plugins on your website. Or do a little research before downloading one. Recently, there was malware that disguised itself as a legitimate WordPress plugin. But in reality, it’s tricking website owners and giving full access to hackers. 

So, basically, if you run a WordPress or any other website, it’s always a good idea to check your plugin directory and core files for anything unusual. Also, make sure that you’re using up-to-date security tools, and monitor your logs for suspicious activity.