PT-2025-52536 · Unknown+1 · Woocommerce+1
Md. Moniruzzaman Prodhan
+1
·
Published
2025-12-20
·
Updated
2025-12-31
·
CVE-2025-13329
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
File Uploader for WooCommerce versions up to and including 1.0.3
Description
The File Uploader for WooCommerce plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation within the callback function associated with the
/add-image-data API endpoint. This allows unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them to the affected site's server, potentially leading to remote code execution. The vulnerability is present in the add-image-data API endpoint and involves a missing check on the file parameter.Recommendations
Versions up to and including 1.0.3: Update the plugin to a version beyond 1.0.3.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
File Uploader For Woocommerce
Woocommerce