CVE-2025-22782

Critical

Published: 15 January 2025

Published

15 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0032 55.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce wr-price-list-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Woocommerce: from n/a through <= 1.0.8.

Security Summary

CVE-2025-22782 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Web Ready Now WR Price List Manager For Woocommerce WordPress plugin (wr-price-list-for-woocommerce). This issue affects all versions from n/a through 1.0.8 and allows attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), marking it as critical.

An authenticated attacker with low privileges, such as a standard WordPress user, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation enables the upload of a web shell, resulting in remote code execution (RCE) with high impacts on confidentiality, integrity, and availability, along with a change in scope.

The Patchstack advisory provides further details on this remote code execution vulnerability in WR Price List Manager For Woocommerce version 1.0.8: https://patchstack.com/database/Wordpress/Plugin/wr-price-list-for-woocommerce/vulnerability/wordpress-wr-price-list-manager-for-woocommerce-plugin-1-0-8-remote-code-execution-rce-vulnerability?_s_id=cve.

Details

CWE(s): CWE-434

References

https://patchstack.com/database/Wordpress/Plugin/wr-price-list-for-woocommerce/vulnerability/wordpress-wr-price-list-manager-for-woocommerce-plugin-1-0-8-remote-code-execution-rce-vulnerability?_s_id=cve
audit@patchstack.com