Platform
wordpress
Component
wpshop
Fixed in
2.6.2
CVE-2025-32576 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting WP shop, a WordPress plugin developed by Agence web Eoxia. This vulnerability allows an attacker to upload a malicious Web Shell to the web server, potentially leading to complete server compromise. The vulnerability impacts versions from 0.0.0 up to and including 2.6.1, and a patch is available in version 2.6.2.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to upload a Web Shell, effectively granting them remote code execution (RCE) capabilities on the affected server. This can lead to complete compromise of the web server, including data theft, modification, or deletion. The attacker could also use the compromised server as a launchpad for further attacks against other systems within the network. The ability to upload arbitrary code bypasses standard security controls and represents a significant risk to data confidentiality, integrity, and availability.
This vulnerability was publicly disclosed on April 9, 2025. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the potential for significant impact make it a high-priority vulnerability. The availability of a public proof-of-concept is likely, increasing the risk of exploitation. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade WP shop to version 2.6.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file upload permissions within the WordPress environment, implementing strict input validation on all file upload forms, and enabling CSRF protection mechanisms within the WordPress application. Monitor web server access logs for suspicious file uploads or unusual activity. After upgrading, confirm the fix by attempting a CSRF attack on a protected endpoint and verifying that the request is rejected.
Update the WP shop plugin to version 2.6.2 or higher to mitigate the Cross-Site Request Forgery (CSRF) vulnerability that allows uploading a web shell to the server. Ensure you back up your website before updating the plugin. Refer to the plugin documentation for detailed instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32576 is a critical Cross-Site Request Forgery (CSRF) vulnerability in the WP shop WordPress plugin, allowing attackers to upload a Web Shell.
You are affected if you are using WP shop versions 0.0.0 through 2.6.1. Upgrade immediately.
Upgrade WP shop to version 2.6.2 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest a high risk of exploitation.
Refer to the official WP shop website and WordPress security announcements for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.