- A defect in the WooCommerce wishes list allows threat actors to load arbitrary files
- Since the files can be malicious, they could take care of a website
- A patch has not yet been launched, so users must be careful
A critical severity vulnerability in a popular WordPress complement is possibly exposing hundreds of thousands of websites to different risks, including the complete acquisition of the website.
Patchstack’s security researchers have affirmed that the WOOCOMMERCE WISPER List carried an arbitrary file load failure, which allowed the actors to load malicious files to the underlying server without authentication.
Vulnerability is now traced as CVE-2025-47577, and has a 10/10 gravity score (critic).
Reading the calendar
The Ti Woocommerce Wishlist complement is an extension for Woocommerce stores that allows users to create and manage desire lists, save and share their favorite products.
In addition to social exchange options, the complement comes with Ajax based functionality, support for multiple desire lists in the premium version, email notifications and more.
According The hacker newsIt has more than 100,000 active facilities, which means that the potential attack surface is quite large. To make things worse, these are electronic commerce sites, where visitors generally come to spend money, further aggravating the risk.
In the press hour, the most recent version of the complement is 2.9.2, lastly updated six months ago. Since the patch has not yet been launched, users are advised to fear an attack that deactivate and eliminate the complement until a solution is set.
The silver coating here is that the successful exploitation is only possible on the websites that also have the WC Factory Factory complement installed and executed, and the integration is enabled in the complement of the List of Wishes of you Wooocommerce.
WC Fields Factory is a free Wooocommerce complement that allows store owners to add custom fields to product pages, variations, payment forms and the WordPress administration interface.
It supports different types of field such as text, number, email, date selection and more. The complement allows dynamic pricing settings based on field inputs, field visibility rules and roles -based access controls, and offers a drag and release form designer.
