Arbitrary File Upload Flaw in WooCommerce Plugin by WordPress
CVE-2025-10412

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Product Options And Price Calculation Formulas For WooCommerce – Uni Cpo (premium)
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-10412?

A vulnerability exists in the WooCommerce – Uni CPO (Premium) plugin for WordPress due to improper file type validation within the 'uni_cpo_upload_file' function. This flaw, present in versions up to and including 4.9.54, enables unauthenticated attackers to upload arbitrary files onto the server hosting the affected site. Such uploads could potentially lead to remote code execution, posing significant security risks to the affected websites.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) * <= 4.9.54

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://builderius.io/cpo/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Sep 13, 2025

Credit

Ren Voza

JSON

WordPress

What is CVE-2025-10412?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.