Plataforma
wordpress
Componente
product-xml-feeds-for-woocommerce
Corrigido em
2.9.4
CVE-2025-49887 describes a Remote Code Execution (RCE) vulnerability within the Product XML Feed Manager for WooCommerce plugin. This flaw allows attackers to achieve Remote Code Inclusion, granting them the ability to execute arbitrary code on the server. The vulnerability impacts versions from 0.0 up to and including 2.9.3, and a fix is available in version 2.9.4.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to execute arbitrary code on the web server hosting the WooCommerce store. This could lead to complete system compromise, including data theft, modification, or deletion. An attacker could potentially gain administrative access to the WordPress site, install malicious plugins or themes, or use the server as a launchpad for further attacks. The Remote Code Inclusion aspect significantly elevates the risk, as it bypasses typical input validation mechanisms and allows direct execution of attacker-controlled code.
This vulnerability has been publicly disclosed and assigned a CRITICAL CVSS score of 9.9. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the potential impact make it a high-priority target. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
WooCommerce store owners using the Product XML Feed Manager for WooCommerce plugin, particularly those running older versions (0.0 - 2.9.3), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and plugin security.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep product-xml-feeds-for-woocommerce• wordpress / composer / npm:
grep -r 'include($_REQUEST['file'])' /var/www/wordpress/wp-content/plugins/product-xml-feeds-for-woocommerce/*• wordpress / composer / npm:
wp plugin update product-xml-feeds-for-woocommerce --alldisclosure
Status do Exploit
EPSS
0.06% (percentil 18%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the Product XML Feed Manager for WooCommerce plugin to version 2.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement strict file access controls on the server to limit the attacker's ability to upload and execute malicious code. Web Application Firewall (WAF) rules can be configured to block suspicious file uploads or attempts to include external code. Regularly review WordPress plugin configurations and ensure all plugins are from trusted sources.
Atualize o plugin Product XML Feed Manager for WooCommerce para a versão 2.9.4 ou superior para mitigar a vulnerabilidade de execução remota de código. Esta atualização aborda o controle inadequado da geração de código que permite a inclusão remota de código.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-49887 is a critical Remote Code Execution vulnerability in the Product XML Feed Manager for WooCommerce plugin, allowing attackers to execute arbitrary code on your server.
You are affected if you are using Product XML Feed Manager for WooCommerce versions 0.0 through 2.9.3. Check your plugin version immediately.
Upgrade the Product XML Feed Manager for WooCommerce plugin to version 2.9.4 or later to resolve this vulnerability. If upgrading is not possible, temporarily disable the plugin.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target and potential for exploitation is high.
Refer to the official Product XML Feed Manager website and the WooCommerce security advisory for the latest information and updates regarding CVE-2025-49887.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.