Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Big Fix. Show all posts
WordPress
Big Fix Technology TI WooCommerce Website WordPress

Critical Bug in E-commerce Website, Over 10000 Customers Impacted


WordPress plugin exploit

Cybersecurity experts have found a critical unpatched security vulnerability impacting the TI WooCommerce Wishlist plugin for WordPress that unauthorized threat actors could abuse to upload arbitrary files.

TI WooCommerce Wishlist has more than 100,000 active installations. It allows e-commerce website users to save their favorite products for later and share the lists on social media platforms. According to Patchstack researcher John Castro, “The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication.”

About the vulnerability 

Labeled as CVE-2025-47577, the vulnerability has a CVSS score of 10.0 (critical), it impacts all variants of the plugin below 2.92 released on November 29, 2024. Currently, there is no patch available. 

According to the security company, the issue lies in a function called "tinvwl_upload_file_wc_fields_factory," which uses another native WordPress function "wp_handle_upload" to validate but sets the override parameters “test_form” and “test_type” to “false.” 

The "test_type" override checks whether the Multipurpose Internal Mail Extension (MIME) file type is as expected, while the “test_form” verifies whether the $_POST['action'] parameter is correct. 

When setting "test_type," it permits the file type validation to escape effectively, permitting any file type to be uploaded. 

Reading the calendar

The TIWooCommerce Wishlist plugin is an extension for WooCommerce stores that lets users create and manage wishlists, sharing and saving their wishlist products. 

Apart from social sharing options, the plugin has AJAX-based functionality and multiple-wishlist support in the premium variant, email alerts, etc. 

Impact of attack

The scale of the potential attack surface is massive. A major concern is that these are ecommerce sites, where customers spend money, this can compound the risk. 

Currently, the latest variant of the plugin is 2.9.2, last updated 6 months ago. As the patch has not yet been released, concerned users are advised to deactivate and remove the plugin until a fix is issued.

The good thing here is that effective compromise is only possible on sites that also contain the WC Fields Factory plugin deployed and active, and the integration is active on the TI WooCommerce Wishlist plugin. This can make things difficult for threat actors. 

Read more »
Subscribe to: Posts (Atom)