Description
The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-04-04
Score: 8.8 High
EPSS: 1.6% Low
KEV: No
Impact: Arbitrary File Upload with potential Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The Woffice Core plugin for WordPress contains a flaw that omits file type validation in its "saveFeaturedImage" routine for all releases up to and including version 5.4.21. The result is that authenticated users with at least Subscriber privileges can upload any file to the site’s server. Because no MIME check or file extension restriction is performed, an attacker could upload a malicious script and later trigger its execution, effectively compromising the host. This vulnerability maps to CWE‑434, denoting Improper Restriction of Definable Media Type.

Affected Systems

The affected product is the Woffice Core plugin provided by WofficeIO, which is integrated into the Woffice Theme for WordPress. All releases of Woffice Core through 5.4.21 are vulnerable. Users running WordPress sites that rely on this plugin and theme are exposed, regardless of the site’s broader security posture.

Risk and Exploitability

The common vulnerability scoring system rates this issue at 8.8, indicating severe impact. The estimated probability of exploitation, as reflected by an EPSS score of 1 %, is low but non‑negligible, particularly within environments where an attacker already obtains Subscriber‑level access. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread public exploits have been confirmed yet, but the potential for remote code execution warrants immediate control.

Generated by OpenCVE AI on April 21, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Woffice Core plugin to version 5.4.22 or later, where the file‑type check has been restored.
  • If an upgrade is not feasible, configure WordPress to restrict file uploads to a whitelist of safe MIME types and extensions, and prohibit execution permissions for the upload directory.
  • Ensure that the directory used for featured images is not directly serveable by the web server or that it is protected by web‑server directives that deny script execution for uploaded files.

Generated by OpenCVE AI on April 21, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9684 The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Fri, 08 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Xtendify
Xtendify woffice
CPEs cpe:2.3:a:xtendify:woffice:*:*:*:*:*:wordpress:*:*
Vendors & Products Xtendify
Xtendify woffice

Mon, 09 Jun 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Jun 2025 19:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 04 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 07:15:00 +0000

Type Values Removed Values Added
Description The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Woffice Core <= 5.4.21 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wofficeio Woffice Core
Wordpress Wordpress
Xtendify Woffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:49.587Z

Reserved: 2025-03-24T22:52:01.711Z

Link: CVE-2025-2780

cve-icon Vulnrichment

Updated: 2025-04-04T13:17:21.687Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-04T07:15:40.807

Modified: 2025-08-08T20:06:49.500

Link: CVE-2025-2780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses