Primary

Context

File Uploader for WooCommerce Unauthenticated Arbitrary File Upload Vulnerability

Vulnerability

A vulnerability exists in the File Uploader for WooCommerce plugin for WordPress, allowing unauthenticated users to upload arbitrary files. This issue arises from inadequate file type validation in the callback function for the 'add-image-data' REST API endpoint, affecting all versions up to and including 1.0.3. Exploitation of this vulnerability could lead to remote code execution, as uploaded files are sent to the Uploadcare service and can be downloaded to the affected site's server.

Impact

Exploitation of this vulnerability could result in unauthorized file uploads, potentially leading to remote code execution on the server.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.

Added: Dec 20, 2025, 4:29 AM

Updated: Dec 20, 2025, 4:29 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

1.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

1.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

File Uploader for WooCommerce Unauthenticated Arbitrary File Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating