Description
Unrestricted Upload of File with Dangerous Type vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.9.2.
Published: 2025-05-19
Score: 10 Critical
EPSS: 33.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unrestricted upload of files with dangerous types is possible in templateinvaders TI WooCommerce Wishlist. The flaw allows an attacker to place a web shell on the server, providing the ability to execute arbitrary code. The lack of proper file type validation directly enables this malicious payload without user interaction beyond the upload action. The compromise grants complete control over the affected system and can lead to data theft, defacement or further infections.

Affected Systems

WordPress installations that have the TI WooCommerce Wishlist plugin version 2.9.2 or earlier are affected. Administrators and site owners need to verify whether their WordPress sites use this plugin and determine the exact version used.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. The EPSS score of 33% indicates that exploitation is more probable, yet the vulnerability remains in the wild and can be leveraged by attackers with access to the plugin’s upload functionality. It is not listed in the CISA KEV catalog. Based on the description, the expected attack vector is via the plugin’s file upload endpoint, which accepts arbitrary file types without validation. The vulnerability is likely exploitable by any user who can submit a file through the upload form, implying a broad attack surface with minimal prerequisites beyond the ability to interact with the upload interface.

Generated by OpenCVE AI on May 22, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TI WooCommerce Wishlist to a version newer than 2.9.2
  • If an immediate update is not possible, disable the plugin’s file upload feature or configure the server to block uploads of executables and shell scripts
  • Implement a web application firewall rule that rejects requests with file extensions such as .php, .phtml, .exe or other executable types to prevent future uploads

Generated by OpenCVE AI on May 22, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15805 Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a before 2.10.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a before 2.10.0. Unrestricted Upload of File with Dangerous Type vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.9.2.
Title WordPress TI WooCommerce Wishlist < 2.10.0 - Arbitrary File Upload Vulnerability WordPress TI WooCommerce Wishlist plugin <= 2.9.2 - Arbitrary File Upload Vulnerability
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 05 Jun 2025 08:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2. Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a before 2.10.0.
Title WordPress TI WooCommerce Wishlist <= 2.9.2 - Arbitrary File Upload Vulnerability WordPress TI WooCommerce Wishlist < 2.10.0 - Arbitrary File Upload Vulnerability

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 18:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2.
Title WordPress TI WooCommerce Wishlist <= 2.9.2 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Templateinvaders Ti Woocommerce Wishlist
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:18:21.013Z

Reserved: 2025-05-07T09:55:31.577Z

Link: CVE-2025-47577

cve-icon Vulnrichment

Updated: 2025-05-19T18:48:24.649Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:51.997

Modified: 2026-04-23T15:30:31.190

Link: CVE-2025-47577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:15:09Z

Weaknesses