Arbitrary File Upload Vulnerability in WooCommerce Plugin by WordPress

CVE-2025-11391

What is CVE-2025-11391?

CVE-2025-11391 refers to an arbitrary file upload vulnerability found in the PPOM – Product Addons & Custom Fields plugin for WooCommerce, a popular e-commerce plugin for WordPress. This vulnerability arises from a lack of file type validation in the image cropper feature, affecting all versions up to and including 33.0.15. The flaw allows unauthenticated attackers to upload arbitrary files to the server hosting the affected site. Such unrestricted file uploads can lead to severe consequences, including remote code execution, where an attacker can gain control over the server, potentially compromising sensitive data and system integrity.

The vulnerability primarily affects those using the paid version of the plugin, although the code flaw exists in the free version. Organizations relying on this plugin for their online stores could face significant risks, as the ability to upload malicious files can facilitate further attacks, system breaches, and data theft.

Potential impact of CVE-2025-11391

1. Remote Code Execution: Unauthorized file uploads may enable attackers to execute arbitrary code on the server. This can lead to full system compromise, where threat actors can manipulate, steal, or destroy data and system functionalities.

2. Data Breaches: With the capability to upload malicious files, attackers can gain access to sensitive information stored on the server. This can lead to significant data breaches, jeopardizing customer trust and resulting in legal and financial repercussions for the organization.

3. Compromise of E-commerce Operations: For organizations using WooCommerce, successful exploitation of this vulnerability can disrupt e-commerce operations, leading to downtime, loss of sales, and damage to the brand reputation. Attackers can use compromised systems for further malicious activities, such as phishing or distributing malware.

References