CVE-2025-22723
Published: 21 January 2025
Description
Unrestricted Upload of File with Dangerous Type vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Upload a Web Shell to a Web Server.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.6.7.
Security Summary
CVE-2025-22723 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the WordPress plugin Barcode Scanner with Inventory & Order Manager, developed by Dmitry V. (CEO of "UKR Solution") under the identifier barcode-scanner-lite-pos-to-manage-products-inventory-and-orders. Published on 2025-01-21, it affects all versions of the plugin up to and including 1.6.7, enabling attackers to upload a web shell directly to the web server.
The vulnerability carries a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating exploitation is possible over the network with low complexity and no user interaction, but requires high privileges (PR:H), such as administrative access. A privileged attacker can upload malicious files like web shells, resulting in a scope change that grants high-impact control over confidentiality, integrity, and availability, potentially leading to full server compromise and remote code execution.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/vulnerability/wordpress-barcode-scanner-and-inventory-manager-plugin-1-6-7-arbitrary-file-upload-vulnerability?_s_id=cve) documents this arbitrary file upload issue in the plugin's version 1.6.7, providing details for WordPress site operators to assess and address exposure.
Details
- CWE(s)