CVE-2026-42725

Vulnerability

The WP Wham Checkout Files Upload for WooCommerce plugin (checkout-files-upload-woocommerce) versions n/a through <= 2.2.5 contain an Authorization Bypass Through User-Controlled Key vulnerability, classified as an Insecure Direct Object Reference (IDOR) [1]. The flaw lies in how the plugin handles file download requests, where the file identifier is supplied directly by the user without proper validation of ownership or role-based access controls [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request that references another user's uploaded file ID [1]. The attacker does not need to be logged in or have any special privileges; simply knowing or guessing a valid file identifier is sufficient to trigger the authorization bypass [1]. The file identifiers are often sequential or predictable, making enumeration straightforward.

Impact

Successful exploitation allows the attacker to download arbitrary files that were uploaded by other users during checkout [1]. This can lead to disclosure of sensitive information, such as order details, personal identification documents, or payment-related attachments, depending on what customers are asked to upload. The attacker gains read access to files they are not authorized to view, violating confidentiality and potentially privacy regulations.

Mitigation

A patched version, 2.2.6, has been released to address the vulnerability [1]. Users are advised to update immediately. For those who cannot update, Patchstack has issued a mitigation rule that can block attacks until the update is applied [1]. There is no known workaround for the unpatched plugin besides updating or disabling the plugin.