Arbitrary File Upload Vulnerability in File Uploader for WooCommerce by WordPress
CVE-2025-13329

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: File Uploader For WooCommerce
Vendor: CVE Published:; 20 December 2025

What is CVE-2025-13329?

The File Uploader for WooCommerce plugin for WordPress suffers from a vulnerability that allows unauthenticated attackers to upload arbitrary files. This issue arises from a lack of proper file type validation in the callback function for the 'add-image-data' REST API endpoint. As a result, attackers can upload malicious files to the Uploadcare service and execute them on the affected website's server, potentially leading to remote code execution. Users are advised to upgrade to a secure version to mitigate this risk.

Affected Version(s)

File Uploader for WooCommerce * <= 1.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/file-uploader-for-woocommerce/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 20, 2025
Vulnerability Reserved
Nov 17, 2025

Credit

Md. Moniruzzaman Prodhan

JSON