Add CVE-2025-47577 - TI WooCommerce Wishlist Arbitrary File Upload template

[CEHCVKR]

PR Information

• Added CVE-2025-47577 - TI WooCommerce Wishlist <= 2.9.2 Arbitrary File Upload template.
• References:
  • https://nvd.nist.gov/vuln/detail/CVE-2025-47577
  • https://patchstack.com/articles/unpatched-critical-vulnerability-in-ti-woocommerce-wishlist-plugin/
  • https://patchstack.com/database/Wordpress/Plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-2-9-2-arbitrary-file-upload-vulnerability
  • https://github.com/Yucaerin/CVE-2025-47577
  • [TEMPLATE REQUEST] CVE-2025-47577 #12251

Detection uses a 3-step flow to reduce false positives:

1. GET homepage and extract product_id from data-tinv-wl-product.
2. Send multipart upload flow and extract wishlist_url from JSON response.
3. Request wishlist_url and match uploaded artifact path under /wp-content/uploads/product_addons_uploads/.

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

• Template syntax validated locally:
  • nuclei -validate -t http/cves/2025/CVE-2025-47577.yaml
• Template behavior validated in controlled local simulation only:
  • vulnerable simulation produced a match
  • patched simulation produced no match
• verified: false is intentionally kept until confirmed on a real vulnerable target and a real patched target.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server