CVE-2025-4403

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress versions up to, and including, 1.1.6

Description The issue allows unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible. This is due to the plugin accepting a user-supplied supported type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function.

Recommendations For versions up to, and including, 1.1.6, consider disabling the upload() function until a patch is available. Restrict access to the upload functionality to minimize the risk of exploitation. Avoid using the supported type string and uploaded filename without proper validation and sanitization. Update to a version that includes a fix for this issue when available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.