CVE-2025-60235: Arbitrary File Access in WooCommerce Support Ticket
Platform
wordpress
Component
support-ticket-system-for-woocommerce
Fixed in
2.0.8
CVE-2025-60235 represents a critical Arbitrary File Access vulnerability discovered in the Plugify Support Ticket System for WooCommerce (Premium) plugin. This flaw allows attackers to upload files of any type, bypassing security restrictions and potentially leading to severe consequences. The vulnerability affects versions from 0.0 up to and including 2.0.7. A patch is expected to be released by the vendor to address this issue.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2025-60235 is the ability for an attacker to upload arbitrary files to the server. This can be exploited to upload web shells, allowing for remote code execution and complete control over the affected WordPress site. Attackers could also upload malicious scripts to deface the website, steal sensitive data (customer information, order details, etc.), or inject malware into downloads. The blast radius extends beyond the immediate website, potentially impacting users and customers who interact with the site. Successful exploitation could lead to a complete compromise of the WordPress installation and associated data. The unrestricted file upload bypasses standard WordPress security measures, making it a particularly dangerous vulnerability.
Exploitation Context
CVE-2025-60235 was published on 2025-11-06. The EPSS score is currently pending evaluation, but given the critical CVSS score and the potential for remote code execution, it is likely to be assessed as high probability. Public proof-of-concept (POC) code is likely to emerge quickly given the ease of exploitation. Monitor security advisories from WordPress and WooCommerce for updates and further information. Check the NVD database for any updates regarding exploitation activity.
Threat Intelligence
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Package Information
- Active installs
- 200Niche
- Plugin rating
- 5.0
- Requires WordPress
- 3.0.1+
- Compatible up to
- 6.9.4
- Requires PHP
- 5.2.4+
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The immediate mitigation for CVE-2025-60235 is to upgrade the Plugify Support Ticket System for WooCommerce (Premium) plugin to a patched version as soon as it becomes available. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. Implement strict file upload validation on the server-side, even if the plugin is updated, to add an extra layer of defense. Review server access logs for any suspicious file uploads. Consider using a Web Application Firewall (WAF) with rules to block uploads of potentially malicious file types (e.g., PHP, ASPX, JSP). After upgrading, confirm the vulnerability is resolved by attempting to upload a test file with a known dangerous extension (e.g., .php) and verifying that the upload is blocked.
How to fix
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-60235 — Arbitrary File Access in Support Ticket System for WooCommerce (Premium)?
It's a critical Arbitrary File Access vulnerability in the Plugify Support Ticket System for WooCommerce (Premium) plugin, allowing attackers to upload any file type.
Am I affected by CVE-2025-60235 in Support Ticket System for WooCommerce (Premium)?
If you're using Plugify Support Ticket System for WooCommerce (Premium) version 0.0 through 2.0.7, you are potentially affected by this vulnerability.
How do I fix CVE-2025-60235 in Support Ticket System for WooCommerce (Premium)?
Upgrade to the latest version of the plugin as soon as a patch is released by the vendor. Temporarily disable the plugin if upgrading is not immediately possible.
Is CVE-2025-60235 being actively exploited?
While no active campaigns are confirmed, the critical nature of the vulnerability and ease of exploitation suggest it is likely to be targeted soon.
Where can I find the official Support Ticket System for WooCommerce (Premium) advisory for CVE-2025-60235?
Refer to the official WordPress security advisories, the WooCommerce website, and the National Vulnerability Database (NVD) for updates and detailed information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.