Platform
wordpress
Component
drag-and-drop-multiple-file-upload-for-woocommerce
Fixed in
1.1.5
CVE-2025-2941 describes an arbitrary file access vulnerability affecting the Drag and Drop Multiple File Upload for WooCommerce WordPress plugin. This flaw allows unauthenticated attackers to manipulate file paths, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 1.1.4, and a patch is expected from the vendor.
The core of this vulnerability lies in insufficient file path validation within the plugin's file upload functionality. Attackers can exploit this by crafting malicious requests that manipulate the wc-upload-file[] parameter to move files to arbitrary locations on the server. A particularly dangerous scenario involves moving the wp-config.php file, which contains sensitive database credentials and configuration settings. Gaining control of this file effectively grants the attacker complete control over the WordPress installation, enabling them to execute arbitrary code, steal data, and compromise the entire website. The potential for remote code execution makes this a high-severity risk.
CVE-2025-2941 was publicly disclosed on April 5, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation and the potential for remote code execution suggest a high probability of exploitation. The vulnerability's impact on WordPress sites makes it a likely target for automated scanning and exploitation campaigns. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
2.94% (86% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Drag and Drop Multiple File Upload for WooCommerce plugin to a version containing the fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting file upload permissions on the server, employing a Web Application Firewall (WAF) to filter malicious requests targeting the wc-upload-file[] parameter, or implementing stricter file path validation within the plugin's code (if possible). Monitor WordPress access logs for suspicious file movement activity. After upgrading, verify the fix by attempting a file upload and confirming that the file path validation is enforced.
Update the Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version to address the arbitrary file move vulnerability. This update corrects the inadequate file path validation, preventing unauthenticated attackers from manipulating files on the server. Ensure you back up your website before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2941 is a critical vulnerability allowing unauthenticated attackers to move files on a WordPress server, potentially leading to remote code execution. It affects versions 0.0.0 to 1.1.4 of the Drag and Drop Multiple File Upload for WooCommerce plugin.
You are affected if your WordPress site uses the Drag and Drop Multiple File Upload for WooCommerce plugin and is running version 0.0.0 through 1.1.4. Check your plugin versions immediately.
Upgrade the Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version. If upgrading isn't possible immediately, implement temporary workarounds like WAF rules or file permission restrictions.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation. Monitor your systems closely.
Refer to the official WooCommerce and WordPress security advisories for updates and further information regarding CVE-2025-2941.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.