Description
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-09-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: unauthenticated arbitrary file upload potentially enabling remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Uni CPO (Premium) plugin for WooCommerce does not properly validate uploaded file types in its 'uni_cpo_upload_file' routine, which allows an attacker to upload malicious files. If an uploaded file contains executable code, the attacker could achieve remote code execution on the server. This flaw is categorized as CWE-434 and scored 9.8 on CVSS, indicating a severe vulnerability.

Affected Systems

The vulnerability affects MooMoo’s Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin, versions up to and including 4.9.55. Any WordPress site running an affected version is at risk.

Risk and Exploitability

With an EPSS score of less than 1 % the exploitation probability is low, but the lack of authentication makes the attack path simple; the attacker can upload files from any external source. The vulnerability is not currently listed in CISA’s KEV catalog, yet the high CVSS score signals critical importance. Protection against exploitation hinges on the ability to block or filter the upload endpoint and to keep the plugin patched when a fix becomes available.

Generated by OpenCVE AI on April 27, 2026 at 23:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Uni CPO (Premium) plugin to the latest version that resolves the upload validation flaw (e.g., version 4.9.56 or later).
  • If an update is not immediately available, disable the 'uni_cpo_upload_file' upload endpoint by removing or renaming the corresponding admin URL or turning off the upload feature in the plugin settings.
  • Configure a web application firewall or file upload filter to reject disallowed file extensions and MIME types, and restrict upload directories to prevent execution of uploaded files.

Generated by OpenCVE AI on April 27, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30886 The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.54 - Unauthenticated Arbitrary File Upload via 'uni_cpo_upload_file' Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.55 - Unauthenticated Arbitrary File Upload via 'uni_cpo_upload_file'
References

Tue, 23 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.54 - Unauthenticated Arbitrary File Upload via 'uni_cpo_upload_file'
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:26.006Z

Reserved: 2025-09-13T23:01:44.618Z

Link: CVE-2025-10412

cve-icon Vulnrichment

Updated: 2025-09-23T19:30:24.115Z

cve-icon NVD

Status : Deferred

Published: 2025-09-23T10:15:34.650

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T00:00:18Z

Weaknesses