{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25397", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-03-25T16:14:47.850Z", "dateUpdated": "2026-03-25T16:14:47.850Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "file-uploader-for-woocommerce", "product": "File Uploader for WooCommerce", "vendor": "Snowray Software", "versions": [{"lessThanOrEqual": "<= 1.0.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:27.114Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.<p>This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4.</p>"}], "value": "Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-35", "description": "Path Traversal: '.../...//'", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:47.850Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/file-uploader-for-woocommerce/vulnerability/wordpress-file-uploader-for-woocommerce-plugin-1-0-4-path-traversal-vulnerability?_s_id=cve"}], "title": "WordPress File Uploader for WooCommerce plugin <= 1.0.4 - Path Traversal vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4."}], "id": "CVE-2026-25397", "lastModified": "2026-03-25T17:16:49.213", "metrics": {}, "published": "2026-03-25T17:16:49.213", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/file-uploader-for-woocommerce/vulnerability/wordpress-file-uploader-for-woocommerce-plugin-1-0-4-path-traversal-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-35"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:54:26.712513+00:00", "value": {"mitigation_remediation": ["Upgrade the File Uploader for WooCommerce plugin to a version newer than 1.0.4.", "If an upgrade cannot be performed immediately, temporarily disable the plugin or remove the file upload functionality until a fix is available.", "Add server\u2011side checks or web\u2011server rules to block directory traversal attempts and ensure the upload directory is not writable by unauthorized users."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of the File Uploader for WooCommerce plugin with version numbers up to and including 1.0.4. The vendor does not list any later versions as vulnerable, but the patch should be applied to any installation of these affected versions.", "description_and_impact": "The vulnerability is a path\u2011traversal flaw in Snowray Software\u2019s File Uploader for WooCommerce plugin. An attacker may send a specially crafted file upload request containing a file path such as \"\u2026/\u2026//\", which is interpreted by the plugin as a location outside the intended upload directory. This allows the attacker to read arbitrary files stored on the web server, including configuration files, database credentials, or server logs. The weakness is classified as CWE\u201135 (Path Traversal).", "risk_and_exploitability": "The attack vector is likely an unauthenticated or low\u2011privilege user who can submit a file upload. Because the vulnerability permits reading sensitive files, the potential impact on confidentiality is significant, and the attacker may use the information to pivot to further attacks. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, yet the presence of a path\u2011traversal flaw and the absence of controls makes it a high\u2011risk CVE that should be addressed promptly."}}}}, "created": "2026-03-25T21:44:38.497014+00:00", "updated": "2026-03-25T21:44:38.497039+00:00", "vendors": []}