CVE-2025-4403

CRITICAL

WordPress Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - File Upload Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-4403. PoCs published by Yucaerin.

AI-analyzed exploit summary This PoC exploits an arbitrary file upload vulnerability in the Drag and Drop Multiple File Upload for WooCommerce plugin, allowing unauthenticated attackers to upload malicious files by bypassing extension and MIME checks.

Description

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

nomisec WORKING POC 3 stars

by Yucaerin · poc

https://github.com/Yucaerin/CVE-2025-4403

View Code ZIP pw:eip

This PoC exploits an arbitrary file upload vulnerability in the Drag and Drop Multiple File Upload for WooCommerce plugin, allowing unauthenticated attackers to upload malicious files by bypassing extension and MIME checks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Drag and Drop Multiple File Upload for WooCommerce (versions up to 1.1.6)

No auth needed

Prerequisites: Python 3.x · requests library · list of target URLs in list.txt · custom file named 'index.php.'

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L158

Product

https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-for-woocommerce/tags/1.1.6/inc/class-dnd-upload-wc.php#L360

Product

https://plugins.trac.wordpress.org/changeset/3289478/

Product

https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/#developers

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/933dd704-5a31-42a9-9b87-bf14a9d4ffa9?source=cve

Scores

CVSS v3 9.8

EPSS 0.0182

EPSS Percentile 75.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

glenwpcoder/Drag and Drop Multiple File Upload for WooCommerce < 1.1.6

Published May 09, 2025

Tracked Since Feb 18, 2026