{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10412", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-13T23:01:44.618Z", "datePublished": "2025-09-23T09:25:56.611Z", "dateUpdated": "2026-04-08T16:38:26.006Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:26.006Z"}, "affected": [{"vendor": "MooMoo", "product": "Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.9.55", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium) <= 4.9.55 - Unauthenticated Arbitrary File Upload via 'uni_cpo_upload_file'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c0c6a45-2c4a-4a23-84e6-7a9759796824?source=cve"}, {"url": "https://moomoo.agency/cpo"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "timeline": [{"time": "2025-09-19T16:47:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-23T19:30:19.431479Z", "id": "CVE-2025-10412", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-23T19:30:38.993Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10412", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-23T19:30:19.431479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-23T19:30:24.115Z"}}], "cna": {"title": "Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium) <= 4.9.55 - Unauthenticated Arbitrary File Upload via 'uni_cpo_upload_file'", "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "MooMoo", "product": "Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.9.55"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-19T16:47:20.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-22T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c0c6a45-2c4a-4a23-84e6-7a9759796824?source=cve"}, {"url": "https://moomoo.agency/cpo"}], "descriptions": [{"lang": "en", "value": "The Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:38:26.006Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10412", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:38:26.006Z", "dateReserved": "2025-09-13T23:01:44.618Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-23T09:25:56.611Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-10412", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-23T10:15:34.650", "references": [{"source": "security@wordfence.com", "url": "https://moomoo.agency/cpo"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c0c6a45-2c4a-4a23-84e6-7a9759796824?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T23:47:46.787573+00:00", "value": {"mitigation_remediation": ["Update the Uni CPO (Premium) plugin to the latest version that resolves the upload validation flaw (e.g., version 4.9.56 or later).", "If an update is not immediately available, disable the 'uni_cpo_upload_file' upload endpoint by removing or renaming the corresponding admin URL or turning off the upload feature in the plugin settings.", "Configure a web application firewall or file upload filter to reject disallowed file extensions and MIME types, and restrict upload directories to prevent execution of uploaded files."], "summary": {"action": "Immediate Patch", "impact": "unauthenticated arbitrary file upload potentially enabling remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MooMoo\u2019s Product Options and Price Calculation Formulas for WooCommerce \u2013 Uni CPO (Premium) plugin, versions up to and including 4.9.55. Any WordPress site running an affected version is at risk.", "description_and_impact": "The Uni CPO (Premium) plugin for WooCommerce does not properly validate uploaded file types in its 'uni_cpo_upload_file' routine, which allows an attacker to upload malicious files. If an uploaded file contains executable code, the attacker could achieve remote code execution on the server. This flaw is categorized as CWE-434 and scored 9.8 on CVSS, indicating a severe vulnerability.", "risk_and_exploitability": "With an EPSS score of less than 1\u202f% the exploitation probability is low, but the lack of authentication makes the attack path simple; the attacker can upload files from any external source. The vulnerability is not currently listed in CISA\u2019s KEV catalog, yet the high CVSS score signals critical importance. Protection against exploitation hinges on the ability to block or filter the upload endpoint and to keep the plugin patched when a fix becomes available."}}}}, "created": "2025-09-23T16:03:17.854504+00:00", "updated": "2026-04-28T00:00:18.098376+00:00", "vendors": ["woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}