Skip to main content
CVE-2025-13329 CRITICAL Act Now

Unauthenticated arbitrary file upload vulnerability in File Uploader for WooCommerce (WordPress plugin versions ≤1.0.3) enables remote code execution. Missing file type validation in the 'add-image-data' REST API endpoint allows attackers to upload malicious files to Uploadcare service and retrieve them to the web server, achieving code execution without authentication. Exploitation requires no user interaction or special privileges (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.

RCE WordPress File Upload
NVD
CVSS 3.1
9.8
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy