CVE-2025-13156

HIGH

Vitepos - Point of Sale (POS) for WooCommerce plugin <= 3.3.0 - Arbitrary File Upload

Title source: llm

Description

The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.

Exploits (1)

nomisec WRITEUP 1 stars
by MooseLoveti · poc
https://github.com/MooseLoveti/Vitepos-CVE-Report

References (2)

Scores

CVSS v3 8.8
EPSS 0.0023
EPSS Percentile 45.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
appsbd/Vitepos – Point of Sale (POS) for WooCommerce < 3.3.0
Published Nov 21, 2025
Tracked Since Feb 18, 2026