Description
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
Published: 2025-10-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The PPOM – Product Addons & Custom Fields for WooCommerce plugin allows unauthenticated users to upload any file because the image cropper does not validate the file type. The absence of checks enables the upload of executable code, which could lead to remote code execution on the host web server. This vulnerability is classified as CWE‑434, indicating a failure to restrict file types or extensions during upload.

Affected Systems

WordPress sites that use the PPOM plugin with versions 33.0.15 or earlier, and that have the paid edition active. The free edition contains the code but the flaw only manifests when the paid features are enabled. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 9.8 reflects the severity of this flaw, while the EPSS score of less than 1 % indicates that, at present, exploitation is unlikely but the impact would be catastrophic if it occurs. The vulnerability is not yet listed in the CISA KEV catalog, so no known exploit has been reported. Attackers would need to send a crafted HTTP request to the plugin’s image cropper endpoint; authentication is not required, so anyone on the public internet can attempt the upload.

Generated by OpenCVE AI on April 21, 2026 at 02:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PPOM plugin to versions 33.0.16 or newer, or uninstall the plugin if it is not needed.
  • Disable the image cropper feature or restrict its usage to authenticated administrators only.
  • Configure the web server so that the uploads directory does not allow execution of uploaded files, for example by setting the correct file permissions or adding a .htaccess rule that blocks PHP execution.

Generated by OpenCVE AI on April 21, 2026 at 02:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle product Addons & Fields For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Themeisle
Themeisle product Addons & Fields For Woocommerce
Wordpress
Wordpress wordpress

Sat, 18 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
Title PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themeisle Product Addons & Fields For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:40.895Z

Reserved: 2025-10-06T20:04:27.764Z

Link: CVE-2025-11391

cve-icon Vulnrichment

Updated: 2025-10-20T18:30:40.606Z

cve-icon NVD

Status : Deferred

Published: 2025-10-18T07:15:35.010

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:15:06Z

Weaknesses