Plataforma
wordpress
Componente
medical-prescription-attachment-plugin-for-woocommerce
Corrigido em
1.2.4
CVE-2025-29009 describes an Arbitrary File Access vulnerability within the Medical Prescription Attachment Plugin for WooCommerce. This flaw allows attackers to upload files of any type, including malicious web shells, to the web server. The vulnerability impacts versions from 0.0 up to and including 1.2.3, and a patch is available in version 1.2.4.
The primary impact of this vulnerability is the ability for an attacker to upload arbitrary files, specifically web shells, to the server hosting the WooCommerce store. A successful web shell upload grants the attacker remote code execution (RCE) capabilities, effectively providing complete control over the server. This could lead to data exfiltration, modification of website content, deployment of ransomware, or using the compromised server as a launchpad for further attacks against other systems on the network. The blast radius extends beyond the WooCommerce store itself, potentially impacting any sensitive data stored on the server or accessible from it.
The vulnerability's criticality (CVSS score of 10) indicates a high likelihood of exploitation. Public proof-of-concept (POC) code may emerge, further increasing the risk. While no active campaigns have been publicly reported as of the publication date, the ease of exploitation makes it a prime target for opportunistic attackers. The vulnerability was published on 2025-07-16, so monitoring threat intelligence feeds is crucial.
Status do Exploit
EPSS
0.08% (percentil 24%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the Medical Prescription Attachment Plugin for WooCommerce to version 1.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file uploads to only explicitly allowed file types through server-level configurations (e.g., .pdf, .jpg) and implementing a Web Application Firewall (WAF) rule to block suspicious file uploads. Monitor web server logs for unusual file upload activity. After upgrading, verify the fix by attempting to upload a non-allowed file type (e.g., .php) through the plugin’s interface; the upload should be rejected.
Actualice el plugin Medical Prescription Attachment Plugin for WooCommerce a la última versión disponible para solucionar la vulnerabilidad de subida arbitraria de archivos. Verifique la fuente del plugin en wordpress.org para obtener la actualización más reciente. Considere implementar medidas de seguridad adicionales, como la validación de archivos subidos, para mitigar el riesgo.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-29009 is a critical vulnerability in the Medical Prescription Attachment Plugin for WooCommerce allowing attackers to upload arbitrary files, potentially leading to server compromise. It affects versions 0.0 through 1.2.3 and carries a CVSS score of 10.
You are affected if you are using the Medical Prescription Attachment Plugin for WooCommerce versions 0.0 to 1.2.3. Check your plugin version immediately using the wp plugin list command.
Upgrade the Medical Prescription Attachment Plugin for WooCommerce to version 1.2.4 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file types and using a WAF.
While no active campaigns have been publicly reported, the vulnerability's criticality and ease of exploitation suggest a high likelihood of exploitation. Continuous monitoring is recommended.
Refer to the official WooCommerce security announcements and the plugin developer's website for the latest advisory and updates regarding CVE-2025-29009.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.