{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4403", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-06T22:02:08.760Z", "datePublished": "2025-05-09T08:24:05.915Z", "dateUpdated": "2026-04-08T17:09:37.336Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:37.336Z"}, "affected": [{"vendor": "glenwpcoder", "product": "Drag and Drop Multiple File Upload for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user\u2010supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - Unauthenticated Arbitrary File Upload via upload Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/933dd704-5a31-42a9-9b87-bf14a9d4ffa9?source=cve"}, {"url": "https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L360"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L158"}, {"url": "https://plugins.trac.wordpress.org/changeset/3289478/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "RIN MIYACHI"}], "timeline": [{"time": "2025-05-08T20:19:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T14:41:38.446281Z", "id": "CVE-2025-4403", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T14:44:30.717Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4403", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-09T14:41:38.446281Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T14:43:20.261Z"}}], "cna": {"title": "Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - Unauthenticated Arbitrary File Upload via upload Function", "credits": [{"lang": "en", "type": "finder", "value": "RIN MIYACHI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "glenwpcoder", "product": "Drag and Drop Multiple File Upload for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-08T20:19:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/933dd704-5a31-42a9-9b87-bf14a9d4ffa9?source=cve"}, {"url": "https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L360"}, {"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L158"}, {"url": "https://plugins.trac.wordpress.org/changeset/3289478/"}], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user\u2010supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-09T08:24:05.915Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4403", "state": "PUBLISHED", "dateUpdated": "2025-05-09T14:44:30.717Z", "dateReserved": "2025-05-06T22:02:08.760Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-09T08:24:05.915Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user\u2010supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Drag and Drop Multiple File Upload for WooCommerce de WordPress es vulnerable a la carga de archivos arbitrarios en todas las versiones hasta la 1.1.6 incluida, ya que acepta una cadena de tipo admitido proporcionada por el usuario y el nombre del archivo cargado sin aplicar las comprobaciones de extensi\u00f3n real ni MIME en la funci\u00f3n upload(). Esto permite que atacantes no autenticados carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo. "}], "id": "CVE-2025-4403", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-09T09:15:19.610", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L158"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L360"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3289478/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/933dd704-5a31-42a9-9b87-bf14a9d4ffa9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:52:39.219252+00:00", "value": {"mitigation_remediation": ["Update the Drag and Drop Multiple File Upload for WooCommerce plugin to a version newer than 1.1.6, ensuring that file type validation and MIME checks are enforced.", "If an upgrade is not immediately possible, consider disabling or uninstalling the plugin until a patch can be applied to prevent the upload functionality from being exposed.", "Configure the web server or host to block execution of files uploaded through the plugin directory. This can be done by adding rules that deny PHP or other executable extensions in the uploads folder, or by using .htaccess directives to turn off execution for that directory."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Upload with potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Sites that have installed the Drag and Drop Multiple File Upload for WooCommerce plugin up to and including version 1.1.6. These include any WordPress installation using WooCommerce that relies on this plugin for handling product media uploads.", "description_and_impact": "The vulnerability exists in the Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress. The upload() function accepts a user\u2011supplied supported_type string and the uploaded filename without enforcing real file extension or MIME checks. Because this validation is missing, an unauthenticated attacker can upload files of any type, which can lead to execution of malicious code or other compromise of the affected site\u2019s server.", "risk_and_exploitability": "With a CVSS score of 9.8, the risk is considered critical. The EPSS score of 3% indicates a non\u2011negligible chance of exploitation in the current threat landscape. The vulnerability is not listed in CISA\u2019s KEV catalog, but attackers can exploit it remotely via the plugin\u2019s upload endpoint without authentication, making it highly actionable. An attacker could achieve arbitrary code execution on the server by uploading a malicious script or payload."}}}}, "created": "2026-04-21T21:00:36.006455+00:00", "updated": "2026-04-21T21:00:36.006470+00:00", "vendors": []}