PT-2025-24606 · Woocommerce · Abandoned Cart Pro For Woocommerce
Phil Wylie
·
Published
2025-06-10
·
Updated
2025-06-10
·
CVE-2025-4387
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Abandoned Cart Pro for WooCommerce versions up to, and including, 9.16.0
Description
The issue is related to an authenticated arbitrary file upload due to missing file type validation in the
wcap add to cart popup upload files function. This allows an authenticated attacker with subscriber-level access or higher to upload arbitrary files to the site's server, potentially enabling remote or local code execution depending on the server configuration.Recommendations
For versions up to, and including, 9.16.0, update to a version that includes the fix for the arbitrary file upload vulnerability.
As a temporary workaround, consider disabling the
wcap add to cart popup upload files function until a patch is available.Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Abandoned Cart Pro For Woocommerce