CVE-2025-47577: 
WordPress vulnerability analysis and mitigation

An Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2025-47577) was discovered in TemplateInvaders TI WooCommerce Wishlist plugin versions through 2.9.2. The vulnerability was initially reported on March 26, 2025, and publicly disclosed on May 16, 2025. This security flaw affects WordPress installations using the TI WooCommerce Wishlist plugin, which has over 100,000 active installations (Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a Critical CVSS v3.1 base score of 10.0 with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The root cause lies in the tinvwluploadfilewcfieldsfactory function, which uses WordPress's wphandleupload with 'testtype' => false, bypassing file type validation. The vulnerability is only exploitable when the WC Fields Factory plugin is activated and the integration is enabled (Patchstack).

The vulnerability allows attackers to upload arbitrary files, including web shells, to the affected web server without authentication. This could potentially lead to complete server compromise as it enables the execution of malicious code on the target system. The high CVSS score of 10.0 indicates the most severe possible impact on affected systems (Wiz, Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider temporarily deactivating and deleting the plugin (Patchstack).