CVE-2025-2941 in Drag and Drop Multiple File Upload for WooCommerce Plugin
Summary
by MITRE • 04/05/2025
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/05/2025
The vulnerability identified in CVE-2025-2941 affects the Drag and Drop Multiple File Upload for WooCommerce plugin, a widely used WordPress extension that enables enhanced file upload functionality within e-commerce environments. This plugin operates as a critical component in WordPress-based online stores, facilitating the management of product images and other digital assets through intuitive drag-and-drop interfaces. The flaw resides in the plugin's handling of file path validation mechanisms, specifically within the wc-upload-file[] parameter processing functionality. The vulnerability represents a severe security weakness that undermines the fundamental security boundaries of WordPress installations, particularly those utilizing WooCommerce for commerce operations.
The technical implementation of this vulnerability stems from inadequate input validation within the plugin's file handling routines. Attackers can exploit this weakness by manipulating the wc-upload-file[] parameter to specify arbitrary file paths that should not normally be accessible through the upload interface. This lack of proper path validation creates a directory traversal condition where malicious actors can move files from one location to another on the server filesystem without proper authorization. The vulnerability operates at the core of the plugin's file management system, bypassing standard WordPress security controls and file access restrictions that typically protect sensitive system files and configuration data.
The operational impact of this vulnerability extends far beyond simple unauthorized file access, creating a pathway for remote code execution within affected WordPress environments. When attackers successfully move critical system files such as wp-config.php, they gain access to database credentials, authentication keys, and other sensitive configuration data that can be leveraged for complete system compromise. This vulnerability enables attackers to escalate privileges and establish persistent access to compromised WordPress installations, potentially leading to data breaches, website defacement, or the deployment of malicious payloads. The unauthenticated nature of this exploit means that any visitor to the affected website can potentially trigger the vulnerability, making it particularly dangerous for publicly accessible e-commerce platforms.
The vulnerability aligns with CWE-22 Directory Traversal and CWE-73 Path Traversal, both of which describe weaknesses in input validation that allow attackers to manipulate file paths and access unauthorized resources. From an ATT&CK framework perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1566 Impair Defenses, as it enables attackers to move files to locations where they can execute code or disable security measures. Organizations using the affected plugin version 1.1.4 or earlier should immediately implement mitigations including plugin updates to the latest secure version, implementation of web application firewalls to monitor and block suspicious file path parameters, and comprehensive security auditing of file permissions and access controls. Additionally, system administrators should conduct thorough vulnerability assessments to identify any potential exploitation attempts and ensure proper monitoring of file system access patterns that could indicate malicious activity.