Drag and Drop Multiple File Upload for WooCommerce < 1.1.7 – Unauthenticated Arbitrary File Upload via upload Function | CVE 2025-4403 | Plugin Vulnerabilities

Description

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

drag-and-drop-multiple-file-upload-for-woocommerce

Fixed in 1.1.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/933dd704-5a31-42a9-9b87-bf14a9d4ffa9

Miscellaneous

Original Researcher

Milinxee

Verified

No

WPVDB ID

7f691ba7-cda3-47f7-a3dc-6ae7ed6c3887

Timeline

Publicly Published

2025-05-08 (about 1 year ago)

Added

2025-05-08 (about 1 year ago)

Last Updated

2025-05-09 (about 1 year ago)

Other

Published

Title

Published

2014-08-01

Title

Rent A Car 1.0 - Shell Upload

Published

2015-11-17

Title

Users Ultra Membership Plugin <= 1.5.58 - Unrestricted File Upload

Published

2015-04-25

Title

WooCommerce Amazon Affiliates - Arbitrary File Upload

Published

2025-09-18

Title

Embed PDF for WPForms < 1.1.6 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-11-25

Title

Booking calendar, Appointment Booking System < 3.2.16 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload