CVE-2025-2780

Name of the Vulnerable Software and Affected Versions Woffice Core plugin for WordPress versions up to, and including, 5.4.21

Description The issue is related to arbitrary file uploads due to missing file type validation in the saveFeaturedImage function. This allows authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.

Recommendations For versions up to, and including, 5.4.21, consider disabling the saveFeaturedImage function until a patch is available to prevent arbitrary file uploads. Restrict access to the affected plugin to minimize the risk of exploitation. Avoid using the Woffice Core plugin until the issue is resolved. Update to a version higher than 5.4.21 when available.