Arbitrary File Upload Flaw in WooCommerce Plugin by WordPress
CVE-2025-10412

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Product Options And Price Calculation Formulas For WooCommerce – Uni Cpo (premium)
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-10412?

A vulnerability exists in the WooCommerce – Uni CPO (Premium) plugin for WordPress due to improper file type validation within the 'uni_cpo_upload_file' function. This flaw, present in versions up to and including 4.9.54, enables unauthenticated attackers to upload arbitrary files onto the server hosting the affected site. Such uploads could potentially lead to remote code execution, posing significant security risks to the affected websites.

Affected Version(s)

Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) * <= 4.9.54

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://builderius.io/cpo/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Sep 13, 2025

Credit

Ren Voza

JSON