CVE-2025-11391
Published: 18 October 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-11391 affects the PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress, specifically due to missing file type validation in the image cropper functionality. This vulnerability enables arbitrary file uploads in all versions up to and including 33.0.15. Although the vulnerable code exists in the free version of the plugin, it only impacts sites where the paid version is installed and activated.
Unauthenticated attackers can exploit this flaw over the network with low complexity and no privileges required, achieving high confidentiality, integrity, and availability impacts as scored at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By uploading arbitrary files to the affected site's server, attackers may enable remote code execution, corresponding to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation details are outlined in advisories from Wordfence and the plugin's WordPress trac repository, including code changes in hooks.php at line 45 and changeset 3379431, which address the file validation issue. Affected users should update to a version beyond 33.0.15 where available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated arbitrary file upload vulnerability in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and facilitates web shell deployment for remote code execution (T1505.003).