Description
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Published: 2025-04-05
Score: 9.8 Critical
EPSS: 2.9% Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Move
Action: Immediate Patch
AI Analysis

Impact

The Drag and Drop Multiple File Upload for WooCommerce plugin permits an attacker to specify arbitrary file paths through the wc-upload-file[] parameter. This lack of validation allows the moving of any file on the server, including critical WordPress configuration files. Once a sensitive file such as wp‑config.php is relocated or replaced, the attacker can achieve full remote code execution on the WordPress site.

Affected Systems

WordPress sites running the Drag and Drop Multiple File Upload for WooCommerce plugin, versions up to and including 1.1.4, left unpatched. Any installation of the plugin in these versions is vulnerable regardless of the site’s user roles or authentication state.

Risk and Exploitability

The CVSS score of 9.8 reflects a critical severity, and the EPSS score of 3% indicates that exploitation is moderately likely in the wild. The vulnerability is not listed in CISA’s KEV catalog, but the high risk and the potential for remote code execution mean that attackers can freely move files when the wc-upload-file[] parameter is accessible. Based on the description, the attack likely requires sending a specially crafted HTTP request to the plugin’s file upload endpoint, which is publicly reachable on typical WooCommerce installations.

Generated by OpenCVE AI on April 22, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Drag and Drop Multiple File Upload for WooCommerce plugin to the latest version (≥1.1.5) to remove the file path validation flaw.
  • If an upgrade cannot be applied immediately, disable the plugin or block internet access to its upload endpoint to prevent unauthenticated users from using the vulnerable functionality.
  • Configure a web‑application firewall or server‑level rule that limits the file upload endpoint to authenticated administrators only, and enforce strict path validation rules to further reduce the risk of arbitrary file manipulation.

Generated by OpenCVE AI on April 22, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9920 The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
History

Mon, 07 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 05 Apr 2025 07:15:00 +0000

Type Values Removed Values Added
Description The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Title Drag and Drop Multiple File Upload for WooCommerce <= 1.1.4 - Unauthenticated Arbitrary File Move
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:44.695Z

Reserved: 2025-03-28T18:28:17.610Z

Link: CVE-2025-2941

cve-icon Vulnrichment

Updated: 2025-04-07T13:06:43.772Z

cve-icon NVD

Status : Deferred

Published: 2025-04-05T07:15:40.107

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses