File Uploader for WooCommerce

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.

AI Analysis

Unauthenticated arbitrary file upload vulnerability due to missing file type validation in the 'add-image-data' REST API endpoint

Basic Information

ID CVE-2025-13329

Source Wordfence

Published Dec 20, 2025 at 03:20

Affected Product

Vendor snowray

Product File Uploader for WooCommerce

Version *

Affected Versions snowray File Uploader for WooCommerce *

CWE Classification

CWE-434

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor snowray

Product File Uploader for WooCommerce

Version 1.0.3

References

{
    "lastseen": "",
    "description": "The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.",
    "published": "2025-12-20T03:20:24.442Z",
    "modified": "2025-12-20T03:20:24.442Z",
    "type": "cve",
    "title": "File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da0f0e1a-bbf8-42a5-b330-b53134488ebd?source=cve\nhttps://wordpress.org/plugins/file-uploader-for-woocommerce/",
    "id": "CVE-2025-13329",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "snowray File Uploader for WooCommerce *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "File Uploader for WooCommerce",
    "version": "*",
    "vendor": "snowray",
    "ai_description": "Unauthenticated arbitrary file upload vulnerability due to missing file type validation in the 'add-image-data' REST API endpoint",
    "ai_severity": "Critical",
    "ai_vendor": "snowray",
    "ai_product": "File Uploader for WooCommerce",
    "ai_version": "1.0.3",
    "ai_score": 9.8
}

File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data_CVE-2025-13329