Platform
wordpress
Component
product-xml-feeds-for-woocommerce
Fixed in
2.9.4
CVE-2025-49887 describes a Remote Code Execution (RCE) vulnerability within the Product XML Feed Manager for WooCommerce plugin. This flaw allows attackers to achieve Remote Code Inclusion, granting them the ability to execute arbitrary code on the server. The vulnerability impacts versions from 0.0 up to and including 2.9.3, and a fix is available in version 2.9.4.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to execute arbitrary code on the web server hosting the WooCommerce store. This could lead to complete system compromise, including data theft, modification, or deletion. An attacker could potentially gain administrative access to the WordPress site, install malicious plugins or themes, or use the server as a launchpad for further attacks. The Remote Code Inclusion aspect significantly elevates the risk, as it bypasses typical input validation mechanisms and allows direct execution of attacker-controlled code.
This vulnerability has been publicly disclosed and assigned a CRITICAL CVSS score of 9.9. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the potential impact make it a high-priority target. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Product XML Feed Manager for WooCommerce plugin to version 2.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement strict file access controls on the server to limit the attacker's ability to upload and execute malicious code. Web Application Firewall (WAF) rules can be configured to block suspicious file uploads or attempts to include external code. Regularly review WordPress plugin configurations and ensure all plugins are from trusted sources.
Update the Product XML Feed Manager for WooCommerce plugin to version 2.9.4 or higher to mitigate the Remote Code Execution (RCE) vulnerability. This update addresses the improper control of code generation that allows Remote Code Inclusion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49887 is a critical Remote Code Execution vulnerability in the Product XML Feed Manager for WooCommerce plugin, allowing attackers to execute arbitrary code on your server.
You are affected if you are using Product XML Feed Manager for WooCommerce versions 0.0 through 2.9.3. Check your plugin version immediately.
Upgrade the Product XML Feed Manager for WooCommerce plugin to version 2.9.4 or later to resolve this vulnerability. If upgrading is not possible, temporarily disable the plugin.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target and potential for exploitation is high.
Refer to the official Product XML Feed Manager website and the WooCommerce security advisory for the latest information and updates regarding CVE-2025-49887.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.