CVE-2025-4403
Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - Unauthenticated Arbitrary File Upload via upload Function
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - Unauthenticated Arbitrary File Upload via upload Function
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Reserved 2025-05-06 | Published 2025-05-09 | Updated 2025-05-09 | Assigner WordfenceCWE-434 Unrestricted Upload of File with Dangerous Type
| 2025-05-08: | Disclosed |
RIN MIYACHI
www.wordfence.com/...-5a31-42a9-9b87-bf14a9d4ffa9?source=cve
wordpress.org/...-drop-multiple-file-upload-for-woocommerce/
plugins.trac.wordpress.org/....6/inc/class-dnd-upload-wc.php
plugins.trac.wordpress.org/....6/inc/class-dnd-upload-wc.php
plugins.trac.wordpress.org/changeset/3289478/
Support options
