CVE-2025-2941

CVE-2025-2941: Drag and Drop Multiple File Upload for WooCommerce - Arbitrary File Move

Description:

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress, versions up to and including 1.1.4, is vulnerable to arbitrary file moving. This is due to insufficient validation of the file path provided via the wc-upload-file[] parameter. Unauthenticated attackers can exploit this vulnerability to move arbitrary files on the server.

Severity:

• CVSS Score: 9.8 (Critical)
• Impact: Remote Code Execution (RCE)

Known Exploit:

An unauthenticated attacker can manipulate the wc-upload-file[] parameter to specify a source file and a destination to move it to. By moving critical files like wp-config.php to a publicly accessible directory or overwriting existing PHP files, the attacker can gain Remote Code Execution on the server.

Remediation / Mitigation Strategy:

1. Immediate Update: Upgrade the Drag and Drop Multiple File Upload for WooCommerce plugin to the latest version (greater than 1.1.4) as soon as possible. The updated version contains a fix for this vulnerability.

2. Temporary Disable (If Update Not Possible Immediately): If an immediate update is not feasible, temporarily disable the plugin until the update can be performed. This will prevent exploitation of the vulnerability.

3. Web Application Firewall (WAF) Rule: Implement a WAF rule to block requests containing malicious payloads in the wc-upload-file[] parameter. The WAF rule should identify and block any attempt to move sensitive files or folders like wp-config.php, .htaccess, or PHP files outside the intended upload directory. Example rule (depending on WAF): check if wc-upload-file[] contains “..”, “/../”, or attempts to move outside the upload directory.

4. File Integrity Monitoring: Implement a file integrity monitoring system to detect unauthorized changes to critical files, such as wp-config.php, .htaccess, and core WordPress files. This will provide early warning if an attacker has successfully exploited the vulnerability and modified sensitive files.

5. Review Logs: Review server access logs and WordPress logs for any suspicious activity related to the Drag and Drop Multiple File Upload for WooCommerce plugin, especially requests containing the wc-upload-file[] parameter. Look for attempts to access or manipulate sensitive files.

6. Principle of Least Privilege: Ensure that the web server user account has the minimum necessary privileges to function. Avoid granting write access to directories outside of the intended upload directory.

7. Input Sanitization and Validation (Developer Note): For future development of plugins, always thoroughly sanitize and validate all user-supplied input, including file paths, before using it in any file system operations. Use whitelisting instead of blacklisting for allowed file paths and types. Use secure file handling functions to prevent path traversal and other file manipulation vulnerabilities.

Assigner

• Wordfence [email protected]

Date

• Published Date: 2025-04-05 07:01:11
• Updated Date: 2025-04-05 07:01:11

More Details

CVE-2025-2941