Description
The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.
Published: 2025-11-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Vitepos – Point of Sale (POS) for WooCommerce plugin suffers from missing file type validation in the insert_media_attachment() function. The save_update_category_img() function accepts user‑supplied file types without verification, enabling authenticated users with subscriber level access or higher to upload arbitrary files. Because the uploaded files are stored on the server’s filesystem and are not validated, an attacker can place executable code and achieve remote code execution on the host. This flaw is a classic file‑upload vulnerability (CWE‑434).

Affected Systems

Vitepos – Point of Sale (POS) for WooCommerce by appsbd. All plugin versions up to and including 3.3.0 are vulnerable. The issue appears in every WordPress instance that has Vitepos installed and any subscriber or higher role is permitted to add or edit product categories. The vulnerability does not affect earlier or newer releases beyond 3.3.0.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity. The EPSS score is less than 1%, suggesting exploitation is presently rare, and the vulnerability is not listed in CISA KEV. However, the required privilege is only a subscriber‑level account, which is common on many e‑commerce sites. If an attacker compromises a subscriber account or gains social‑engineering access, they can upload a malicious file, bypass server‑side validation, and execute code. The attack vector is through the insert_media_attachment() routine triggered during category image updates, so only authenticated users with the necessary role can exploit it.

Generated by OpenCVE AI on April 21, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vitepos to the latest version that includes the upload validation fix
  • Revoke upload and media management capabilities from any roles below administrator, limiting subscriber‑level users to read‑only access
  • Configure the web server or application to disable execution of files in the upload directory and whitelist allowed MIME types
  • Maintain regular update cycles for WordPress core, plugins, and themes to prevent similar flaws

Generated by OpenCVE AI on April 21, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Appsbd
Appsbd vitepos
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Appsbd
Appsbd vitepos
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.
Title Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0 - Authenticated (Subscriber+) Arbitrary File Upload to Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Appsbd Vitepos
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:56.867Z

Reserved: 2025-11-13T22:02:28.030Z

Link: CVE-2025-13156

cve-icon Vulnrichment

Updated: 2025-11-21T14:41:23.121Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T09:15:46.887

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses