Plataforma
wordpress
Componente
drag-and-drop-multiple-file-upload-for-woocommerce
Corrigido em
1.1.5
CVE-2025-2941 describes an arbitrary file access vulnerability affecting the Drag and Drop Multiple File Upload for WooCommerce WordPress plugin. This flaw allows unauthenticated attackers to manipulate file paths, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 1.1.4, and a patch is expected from the vendor.
The core of this vulnerability lies in insufficient file path validation within the plugin's file upload functionality. Attackers can exploit this by crafting malicious requests that manipulate the wc-upload-file[] parameter to move files to arbitrary locations on the server. A particularly dangerous scenario involves moving the wp-config.php file, which contains sensitive database credentials and configuration settings. Gaining control of this file effectively grants the attacker complete control over the WordPress installation, enabling them to execute arbitrary code, steal data, and compromise the entire website. The potential for remote code execution makes this a high-severity risk.
CVE-2025-2941 was publicly disclosed on April 5, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation and the potential for remote code execution suggest a high probability of exploitation. The vulnerability's impact on WordPress sites makes it a likely target for automated scanning and exploitation campaigns. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Drag and Drop Multiple File Upload for WooCommerce plugin, particularly those running vulnerable versions (0.0.0–1.1.4), are at significant risk. Shared hosting environments where multiple WordPress installations share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'wc-upload-file[]' /var/www/html/wp-content/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/ | grep Server• wordpress / composer / npm:
wp plugin list --status=all | grep 'drag-and-drop-multiple-file-upload-for-woocommerce'disclosure
Status do Exploit
EPSS
2.94% (percentil 86%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the Drag and Drop Multiple File Upload for WooCommerce plugin to a version containing the fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting file upload permissions on the server, employing a Web Application Firewall (WAF) to filter malicious requests targeting the wc-upload-file[] parameter, or implementing stricter file path validation within the plugin's code (if possible). Monitor WordPress access logs for suspicious file movement activity. After upgrading, verify the fix by attempting a file upload and confirming that the file path validation is enforced.
Atualize o plugin Drag and Drop Multiple File Upload for WooCommerce para a última versão disponível para solucionar a vulnerabilidade de movimentação arbitrária de arquivos. Esta atualização corrige a falta de validação adequada das rotas dos arquivos, prevenindo que atacantes não autenticados manipulem arquivos no servidor. Asegúrese de realizar uma cópia de segurança do seu site antes de atualizar.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-2941 is a critical vulnerability allowing unauthenticated attackers to move files on a WordPress server, potentially leading to remote code execution. It affects versions 0.0.0 to 1.1.4 of the Drag and Drop Multiple File Upload for WooCommerce plugin.
You are affected if your WordPress site uses the Drag and Drop Multiple File Upload for WooCommerce plugin and is running version 0.0.0 through 1.1.4. Check your plugin versions immediately.
Upgrade the Drag and Drop Multiple File Upload for WooCommerce plugin to the latest available version. If upgrading isn't possible immediately, implement temporary workarounds like WAF rules or file permission restrictions.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation. Monitor your systems closely.
Refer to the official WooCommerce and WordPress security advisories for updates and further information regarding CVE-2025-2941.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.