cbcvebase.
CVE-2025-47577
published 2025-05-19

CVE-2025-47577: Unrestricted Upload of File with Dangerous Type vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Upload a Web Shell to…

PriorityP276critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
4.91%
91.0th percentile
Unrestricted Upload of File with Dangerous Type vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.9.2.

Affected

1 ranges
VendorProductVersion rangeFixed in
templateinvadersti_woocommerce_wishlist<= 2.9.2

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/ti-woocommerce-wishlist/
path/wp-content/uploads/{{year}}/{{month}}/{{upload_file}}
urlPOST / — multipart/form-data with filename upload to wishlist endpoint
bytes
4a0a0047304502200136c98e3b373880c03643fa11265c6305d8b54f947f23e2a9d6f47cbf122d9e022100bc7572596674128ea5e75185a0be34bddee87b7563992921c3b369a93ba8a49a:922c64590222798bb761d5b6d8e72950
  • Detect unauthenticated multipart file upload POST requests to the WordPress root (/) containing the wishlist form fields 'tinv_wishlist_id', 'product_action=addto', and a 'file' part — no authentication required (PR:N).
  • Alert on files appearing under /wp-content/uploads/ that were delivered via a multipart POST to the wishlist endpoint; the response JSON field 'wishlist_url' will contain a path referencing the uploaded file under wp-content/uploads.
  • Presence of the plugin path /wp-content/plugins/ti-woocommerce-wishlist/ on a server combined with version <= 2.9.2 (NVD) or <= 2.10.0 (Patchstack) indicates a vulnerable target.
  • The exploit flow requires exactly 4 HTTP requests: (1) GET /shop/ to harvest a product ID, (2) POST multipart upload, (3) GET wishlist URL to confirm upload path, (4) GET direct file path — this 4-step sequence is a reliable behavioral signature.
  • Look for the multipart boundary value '-----------------------------735323031399963166993862150' in POST body — used verbatim in the published PoC exploit.
  • ·The affected version range differs between NVD and the Nuclei template: NVD states 'through <= 2.9.2' while the template description states '<= 2.10.0'. Verify the exact patched version before scoping detections.
  • ·Exploitation requires no authentication (PR:N, CVSS 9.8), meaning any unauthenticated internet user can trigger the upload — WAF rules should not restrict detection to authenticated sessions.
  • ·The Nuclei template is marked 'intrusive' — running it against production systems will actually upload a file to /wp-content/uploads/. Ensure cleanup procedures are in place when using this template for detection validation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.