CVE-2025-13329

Critical

Published: 20 December 2025

Published

20 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes…

it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the missing file type validation in the 'add-image-data' REST API endpoint to block arbitrary file uploads.

SC-14 Public Access Protections good match

prevent

Enforces authorization requirements on the publicly accessible vulnerable REST API endpoint to block unauthenticated attackers.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching of the plugin vulnerability as fixed in changeset 3423070 to remediate the arbitrary upload flaw.

Security SummaryAI

CVE-2025-13329 is a critical vulnerability in the File Uploader for WooCommerce plugin for WordPress, affecting all versions up to and including 1.0.3. It stems from missing file type validation in the callback function for the 'add-image-data' REST API endpoint, enabling arbitrary file uploads. Assigned CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this flaw remotely by sending crafted requests to the vulnerable endpoint. This allows them to upload arbitrary files to the associated Uploadcare service, which they can then download onto the affected WordPress site's server. Such uploads may lead to remote code execution if malicious files like web shells are successfully placed and invoked.

Mitigation details are available in related advisories and patches. Wordfence's threat intelligence page provides vulnerability specifics under ID da0f0e1a-bbf8-42a5-b330-b53134488ebd. A fix appears in WordPress plugin trac changeset 3423070, modifying the UploaderHelper class in the plugin's source code; users should update to the latest version via the official plugin page on wordpress.org.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated arbitrary file upload in a public-facing WordPress plugin's REST API endpoint, directly enabling exploitation of a public-facing application for potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/changeset/3423070/file-uploader-for-woocommerce/trunk/src/Helpers/class-uploaderhelper.php
security@wordfence.com
https://wordpress.org/plugins/file-uploader-for-woocommerce/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/da0f0e1a-bbf8-42a5-b330-b53134488ebd?source=cve
security@wordfence.com