Over 100,000 WordPress Websites at Risk from Plugin Flaw
A major security problem has been found in a popular WordPress plugin called TI WooCommerce Wishlist, which is used by over 100,000 websites. This plugin helps online shoppers save their favorite products and share their wishlists on social media—but now it may be putting those sites in danger.
Cybersecurity experts say that the plugin has a critical flaw that lets hackers upload harmful files to a website without needing a password or login. If they succeed, the hackers could take control of the website and do serious damage.
What’s the Risk?
The problem affects all versions of the plugin up to version 2.9.2, which was released on November 29, 2024. Right now, there is no fix (or “patch”) available, so websites using it are vulnerable.
The issue comes from the way the plugin checks files that are uploaded. It skips some important safety steps, which means a hacker could upload dangerous files—like a file that lets them break into the website.
However, the attack only works if another plugin called WC Fields Factory is also installed and active. If your site doesn’t use that second plugin, you might be safe—but many sites do.
What Should You Do?
If you run a WordPress site and use the TI WooCommerce Wishlist plugin, here’s what security experts recommend:
- Immediately deactivate and delete the plugin, especially if you also use the WC Fields Factory plugin.
- Keep an eye out for any updates from the plugin developers that fix the issue.
- Be cautious about which plugins you install and always keep them up to date.
Until a fix is released, it’s safer to remove the plugin entirely to protect your website and your visitors.