Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.This issue affects Product File Upload for WooCommerce: from n/a through <= 2.2.4.
Published: 2026-03-25
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion via path traversal
Action: Patch Now
AI Analysis

Impact

Improper limitation of pathname in the File Upload for WooCommerce plugin allows an attacker to perform path traversal and delete arbitrary files on the WordPress server. A file path supplied through the upload interface is not properly sanitized, enabling removal of any file whose path can be constructed, potentially including critical configuration, log, or system files. The vulnerability is a classic Path Traversal weakness (CWE‑22) that compromises data integrity and may lead to further exploitation if critical files are removed.

Affected Systems

The issue affects all installations of the File Upload for WooCommerce add‑on from the vendor add-ons.org, with affected versions ranging from early releases through 2.2.4. Systems running any of these versions are potentially exposed, regardless of the WordPress core or WooCommerce versions.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate impact if exploitation is achieved. The EPSS score (<1%) suggests a low current likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require access to the plugin’s upload functionality, which is typically available to users with product upload permissions; attackers would construct a filename containing directory traversal sequences to delete target files. Once access is gained, any file in the web directory tree could be removed, creating a denial of service or facilitating further compromise.

Generated by OpenCVE AI on March 26, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the File Upload for WooCommerce plugin to version 2.2.5 or later
  • If an update is not immediately available, disable the plugin or restrict upload permissions to trusted users only

Generated by OpenCVE AI on March 26, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Add-ons.org
Add-ons.org product File Upload For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Add-ons.org
Add-ons.org product File Upload For Woocommerce
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.This issue affects Product File Upload for WooCommerce: from n/a through <= 2.2.4.
Title WordPress Product File Upload for WooCommerce plugin <= 2.2.4 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Add-ons.org Product File Upload For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T17:32:19.347Z

Reserved: 2026-02-02T12:52:29.366Z

Link: CVE-2026-25328

cve-icon Vulnrichment

Updated: 2026-03-26T17:26:52.158Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:44.247

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:02Z

Weaknesses