A huge number of WordPress sites are at risk of being hacked due to a critical vulnerability in the popular TI WooCommerce Wishlist plugin. What’s more, at the time of publication, no patch has been released for the issue, and the vulnerability has received the highest criticality score on the CVSS scale — 10.0.
A huge number of WordPress sites are at risk of being hacked due to a critical vulnerability in the popular TI WooCommerce Wishlist plugin. What’s more, at the time of publication, no patch has been released for the issue, and the vulnerability has received the highest criticality score on the CVSS scale — 10.0.
According to The Hacker News, the issue affects all versions of the TI WooCommerce Wishlist plugin up to and including 2.9.2, released on November 29, 2024. The vulnerability allows unauthorized users to upload arbitrary files to the server, which could lead to complete control over the site.
This is one of the popular WordPress plugins that allows online store users to create wish lists and share them on social networks. With over 100,000 active installations, the vulnerability poses a large-scale threat. Security issues with WordPress plugins are nothing new: similar vulnerabilities have previously been discovered in WP File Manager, Elementor, and other popular extensions. This once again emphasizes the importance of regularly updating website components and conducting security audits.
Patchstack researcher John Castro analyzed the vulnerability in detail. According to him, the problem is centered in the tinvwl_upload_file_wc_fields_factory function, which uses the native WordPress function wp_handle_upload. However, the plugin changes the security check parameters test_form and test_type to false, which effectively disables file type checking and allows you to bypass malicious content filtering.
However, there is a caveat — the mentioned function is active only if the WC Fields Factory plugin is installed and enabled on the site. This means that operation is possible only in a certain scenario, when both plugins work in tandem.
In the event of a successful attack, an attacker can upload a malicious PHP file to the site and execute it remotely, gaining full control over the web resource.
Plugin developers are advised not to disable file type checking (test_type) when using wp_handle_upload. Until the update is released, users are advised to immediately deactivate and remove the TI WooCommerce Wishlist plugin from their sites.
We also recently wrote about how Google urged users to immediately update their Chrome browser due to a high-level vulnerability that allows remote attackers to steal sensitive data from other sites.
