Arbitrary File Movement Vulnerability in WooCommerce Plugin by WordPress

CVE-2025-2941

What is CVE-2025-2941?

CVE-2025-2941 is a critical vulnerability in the Drag and Drop Multiple File Upload for WooCommerce plugin, which is widely used in WordPress websites. This plugin allows users to easily upload multiple files to their WooCommerce stores, enhancing workflow and user experience. However, this vulnerability arises from insufficient file path validation, enabling unauthenticated attackers to manipulate file locations on the server. Should a malicious actor exploit this vulnerability, they could potentially relocate sensitive files, leading to severe consequences for the organization.

Technical Details

The vulnerability exists in all versions of the plugin up to and including version 1.1.4. It specifically relates to the handling of the wc-upload-file[] parameter, which fails to properly validate file paths before allowing operations. This oversight grants attackers the ability to move any file on the server, raising serious security concerns, particularly when it comes to crucial files that control the site's operation and security.

Potential Impact of CVE-2025-2941

1. Remote Code Execution: The most significant risk associated with this vulnerability is the potential for remote code execution. By moving critical files like wp-config.php, attackers can gain unauthorized access to sensitive data, including database credentials and API keys, potentially compromising the entire website.

2. Data Breach: Unauthorized file movement can result in data leaks, exposing confidential information to malicious parties. This could lead to regulatory penalties and damage to brand reputation if customer data or proprietary information is accessed and misused.

3. System Compromise: Exploiting this vulnerability can allow attackers to take control of the affected server, enabling further intrusions, deployment of malware, or even lateral movement within the network. This elevated access can facilitate larger attacks, including ransomware deployment and data exfiltration.

References