Platform
wordpress
Component
wc-designer-pro
Fixed in
1.9.25
CVE-2025-60219 is an Arbitrary File Access vulnerability affecting WooCommerce Designer Pro, a WordPress plugin developed by HaruTheme. This vulnerability allows attackers to upload files of any type, including malicious web shells, to the web server. Versions of WooCommerce Designer Pro from 0.0 through 1.9.24 are affected. A patch is available in version 1.9.25.
The primary impact of CVE-2025-60219 is the ability for an attacker to gain complete control over the affected WordPress website. By uploading a web shell (e.g., a PHP script), an attacker can execute arbitrary code on the server with the privileges of the web server user. This could lead to data exfiltration, website defacement, malware deployment, and lateral movement within the network. The unrestricted file upload bypasses standard WordPress security measures, making exploitation relatively straightforward. The blast radius extends beyond the immediate website, potentially impacting any systems accessible from the compromised server. This vulnerability shares similarities with other unrestricted file upload flaws, where attackers leverage the ability to execute code on the server to achieve their objectives.
CVE-2025-60219 was published on 2025-09-26. The CVSS score of 10 (Critical) indicates a high probability of exploitation. While no public Proof-of-Concept (POC) code has been publicly released as of this writing, the ease of exploitation makes it a likely target for automated scanning and exploitation campaigns. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog, but its critical severity warrants close monitoring. EPSS score is expected to be high, reflecting the potential for widespread exploitation.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-60219 is to immediately upgrade WooCommerce Designer Pro to version 1.9.25 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include restricting file uploads to only explicitly allowed file types through WordPress's built-in file upload filters, and implementing a Web Application Firewall (WAF) rule to block uploads of common web shell extensions (e.g., .php, .jsp, .asp). Additionally, review server configurations to ensure proper file permissions are in place, preventing the execution of uploaded files. After upgrading, verify the fix by attempting to upload a test file with a known malicious extension; the upload should be rejected.
Actualice el plugin WooCommerce Designer Pro a una versión corregida. Consulte la documentación del plugin o el sitio web del desarrollador para obtener instrucciones específicas sobre cómo actualizar. Asegúrese de realizar una copia de seguridad de su sitio web antes de realizar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
It's a critical Arbitrary File Access vulnerability in WooCommerce Designer Pro allowing attackers to upload malicious files, potentially leading to full server compromise.
If you are using WooCommerce Designer Pro versions 0.0 through 1.9.24, you are vulnerable. Check your plugin version immediately.
Upgrade WooCommerce Designer Pro to version 1.9.25 or later. If immediate upgrade isn't possible, implement temporary workarounds like WAF rules and file type restrictions.
While no public POC exists yet, the vulnerability's severity and ease of exploitation make it a likely target for attackers. Monitor your systems closely.
Refer to the official HaruTheme advisory (if available) and the National Vulnerability Database (NVD) entry for CVE-2025-60219 for more details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.