Platform
wordpress
Component
support-ticket-system-for-woocommerce
Opgelost in
2.0.8
CVE-2025-60235 represents a critical Arbitrary File Access vulnerability discovered in the Plugify Support Ticket System for WooCommerce (Premium) plugin. This flaw allows attackers to upload files of any type, bypassing security restrictions and potentially leading to severe consequences. The vulnerability affects versions from 0.0 up to and including 2.0.7. A patch is expected to be released by the vendor to address this issue.
The primary impact of CVE-2025-60235 is the ability for an attacker to upload arbitrary files to the server. This can be exploited to upload web shells, allowing for remote code execution and complete control over the affected WordPress site. Attackers could also upload malicious scripts to deface the website, steal sensitive data (customer information, order details, etc.), or inject malware into downloads. The blast radius extends beyond the immediate website, potentially impacting users and customers who interact with the site. Successful exploitation could lead to a complete compromise of the WordPress installation and associated data. The unrestricted file upload bypasses standard WordPress security measures, making it a particularly dangerous vulnerability.
CVE-2025-60235 was published on 2025-11-06. The EPSS score is currently pending evaluation, but given the critical CVSS score and the potential for remote code execution, it is likely to be assessed as high probability. Public proof-of-concept (POC) code is likely to emerge quickly given the ease of exploitation. Monitor security advisories from WordPress and WooCommerce for updates and further information. Check the NVD database for any updates regarding exploitation activity.
Exploit Status
EPSS
0.08% (24% percentiel)
CISA SSVC
CVSS-vector
The immediate mitigation for CVE-2025-60235 is to upgrade the Plugify Support Ticket System for WooCommerce (Premium) plugin to a patched version as soon as it becomes available. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. Implement strict file upload validation on the server-side, even if the plugin is updated, to add an extra layer of defense. Review server access logs for any suspicious file uploads. Consider using a Web Application Firewall (WAF) with rules to block uploads of potentially malicious file types (e.g., PHP, ASPX, JSP). After upgrading, confirm the vulnerability is resolved by attempting to upload a test file with a known dangerous extension (e.g., .php) and verifying that the upload is blocked.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te zoeken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a critical Arbitrary File Access vulnerability in the Plugify Support Ticket System for WooCommerce (Premium) plugin, allowing attackers to upload any file type.
If you're using Plugify Support Ticket System for WooCommerce (Premium) version 0.0 through 2.0.7, you are potentially affected by this vulnerability.
Upgrade to the latest version of the plugin as soon as a patch is released by the vendor. Temporarily disable the plugin if upgrading is not immediately possible.
While no active campaigns are confirmed, the critical nature of the vulnerability and ease of exploitation suggest it is likely to be targeted soon.
Refer to the official WordPress security advisories, the WooCommerce website, and the National Vulnerability Database (NVD) for updates and detailed information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.