Description
The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.
Published: 2025-12-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary file upload leading to possible remote code execution
Action: Patch
AI Analysis

Impact

The File Uploader for WooCommerce plugin for WordPress contains a flaw where the 'add-image-data' REST API endpoint does not perform file type validation. An attacker can submit any file through this endpoint, causing the plugin to upload the file to the external Uploadcare service. Because the plugin subsequently retrieves the uploaded file from the site’s server, the attacker can place a malicious script on the server and potentially execute it. This vulnerability enables remote code execution when the attacker controls the content of the uploaded file.

Affected Systems

Snowray’s File Uploader for WooCommerce plugin is affected for all releases up to and including version 1.0.3. WordPress sites running any of these versions are at risk.

Risk and Exploitability

The CVSS v3.1 score of 9.8 indicates critical severity. The EPSS score of less than 1% suggests a low probability of being exploited in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is through unauthenticated HTTP requests to the WooCommerce REST API endpoint, where the attacker supplies arbitrary file data.

Generated by OpenCVE AI on April 21, 2026 at 00:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of the File Uploader for WooCommerce plugin that includes file type validation.
  • If an update is not immediately available, restrict or disable the 'add-image-data' REST route so that only authenticated users with proper privileges can access it.
  • Remove or temporarily disable the Uploadcare integration to prevent the external upload path until a fix is applied.
  • Monitor web server logs for unexpected file upload activity and enforce strict file type checks on any custom upload handlers.

Generated by OpenCVE AI on April 21, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 22 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Sat, 20 Dec 2025 03:30:00 +0000

Type Values Removed Values Added
Description The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.
Title File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:16.864Z

Reserved: 2025-11-17T18:50:29.412Z

Link: CVE-2025-13329

cve-icon Vulnrichment

Updated: 2025-12-22T20:30:28.207Z

cve-icon NVD

Status : Deferred

Published: 2025-12-20T04:16:07.207

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses