CVE-2025-13156

Name of the Vulnerable Software and Affected Versions Vitepos – Point of Sale (POS) for WooCommerce versions up to and including 3.3.0

Description The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is susceptible to arbitrary file uploads due to a lack of file type validation within the insert media attachment() function. Specifically, the save update category img() function accepts user-supplied file types without validation when processing category images. This allows authenticated attackers with subscriber-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution. The vulnerability affects point of sale systems that handle payment data, making file upload leading to remote code execution a critical issue.

Recommendations Versions up to and including 3.3.0 should be updated to version 3.3.1 or later.