Critical severity9.8NVD Advisory· Published May 9, 2025· Updated Apr 15, 2026
CVE-2025-4403
CVE-2025-4403
Description
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.1.6
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.phpnvd
- plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.phpnvd
- plugins.trac.wordpress.org/changeset/3289478/nvd
- wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/933dd704-5a31-42a9-9b87-bf14a9d4ffa9nvd
News mentions
0No linked articles in our index yet.