CVE-2025-13156

High

Published: 21 November 2025

Published

21 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to…

the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user-supplied inputs like file types during category image uploads to prevent arbitrary file uploads.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of flaws such as missing file validation through patching the affected plugin versions.

SI-3 Malicious Code Protection good match

preventdetect

Implements malicious code protection at system entry points to scan and block dangerous files uploaded via the vulnerable function.

Security SummaryAI

CVE-2025-13156 is an arbitrary file upload vulnerability in the Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress, affecting all versions up to and including 3.3.0. The issue stems from missing file type validation in the insert_media_attachment() function, exploited via the save_update_category_img() function, which accepts user-supplied file types without validation during category image processing.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows uploading arbitrary files to the affected site's server, enabling remote code execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Mitigation is provided through a patch in WordPress plugins trac changeset 3398044. Further details on the vulnerability and remediation are available in the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/bd478bb7-f0d7-4a29-8236-96ad69b5ae67?source=cve.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Arbitrary file upload vulnerability in public-facing WordPress plugin allows authenticated remote code execution, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/changeset/3398044
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/bd478bb7-f0d7-4a29-8236-96ad69b5ae67?source=cve
security@wordfence.com