Arbitrary File Upload Vulnerability in WooCommerce Plugin by WordPress
CVE-2025-11391

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Ppom – Product Addons & Custom Fields For WooCommerce
Vendor: CVE Published:; 18 October 2025

What is CVE-2025-11391?

The Product Addons & Custom Fields for WooCommerce plugin for WordPress is susceptible to an arbitrary file upload vulnerability due to inadequate file type validation in its image cropper functionality. This flaw is present in all versions up to and including 33.0.15. It allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. Note that while this vulnerability is in the free version, it primarily impacts users who have activated the paid version of the plugin.

Affected Version(s)

PPOM – Product Addons & Custom Fields for WooCommerce * <= 33.0.15

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-pr...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2025
Vulnerability Reserved
Oct 6, 2025

Credit

Talal Nasraddeen

JSON