CVE-2025-13156

HIGH

Vitepos - Point of Sale (POS) for WooCommerce plugin <= 3.3.0 - Arbitrary File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-13156. PoCs published by MooseLoveti.

AI-analyzed exploit summary This repository discloses CVE-2025-13156, an authenticated arbitrary file upload vulnerability in Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0. The vulnerability allows authenticated users with subscriber-level access to upload arbitrary files, potentially leading to remote code execution.

Description

The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.

Exploits (1)

nomisec WRITEUP 1 stars

by MooseLoveti · poc

https://github.com/MooseLoveti/Vitepos-CVE-Report

View Code ZIP pw:eip

This repository discloses CVE-2025-13156, an authenticated arbitrary file upload vulnerability in Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0. The vulnerability allows authenticated users with subscriber-level access to upload arbitrary files, potentially leading to remote code execution.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0

Auth required

Prerequisites: Authenticated access to the WordPress site · Subscriber-level privileges or higher

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/changeset/3398044

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/bd478bb7-f0d7-4a29-8236-96ad69b5ae67?source=cve

Scores

CVSS v3 8.8

EPSS 0.0058

EPSS Percentile 42.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

appsbd/Vitepos – Point of Sale (POS) for WooCommerce < 3.3.0

Published Nov 21, 2025

Tracked Since Feb 18, 2026