What is the CVSS score of CVE-2025-13329?

CVE-2025-13329 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of WordPress are affected by CVE-2025-13329?

File Uploader for WooCommerce contains a critical unauthenticated remote code execution vulnerability (CVE-2025-13329) affecting all versions through 1.0.3 that allows attackers to upload and execute…

How to fix or mitigate CVE-2025-13329?

Within 24 hours: Identify all WordPress installations with File Uploader for WooCommerce plugin active via admin dashboard or security scanner; immediately disable and remove the plugin if version ≤1.0.3 is detected. Within 7 days: Contact plugin vendor for patched version availability and upgrade; if no patch is released, implement WAF rules blocking POST requests to '/wp-json/*/add-image-data' REST endpoint. Within 30 days: Conduct forensic review of upload directories and web server logs for suspicious file uploads or execution patterns dating back 90 days; rotate all administrative credentials and review user access logs.

WordPress CVE-2025-13329

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2025-12-20 security@wordfence.com

WordPress RCE File Upload

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 19:39 vuln.today

CVE Published

Dec 20, 2025 - 04:16 nvd

CRITICAL 9.8

DescriptionNVD

The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.

AnalysisAI

Unauthenticated arbitrary file upload vulnerability in File Uploader for WooCommerce (WordPress plugin versions ≤1.0.3) enables remote code execution. Missing file type validation in the 'add-image-data' REST API endpoint allows attackers to upload malicious files to Uploadcare service and retrieve them to the web server, achieving code execution without authentication. Exploitation requires no user interaction or special privileges (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.

Technical ContextAI

Root cause: insufficient input validation (CWE-434) in REST API callback function. Uploadcare integration permits upload of arbitrary file types to external service, which are then downloaded to local server filesystem. Unauthenticated access (PR:N) to vulnerable endpoint enables direct exploitation without credential requirements. Attack complexity rated low (AC:L) due to straightforward exploitation path.

Affected ProductsAI

Product: File Uploader for WooCommerce. Vendor: WordPress plugin ecosystem. Affected versions: all versions through 1.0.3 inclusive. CPE identifier not provided in available data. Platform: WordPress content management system with WooCommerce integration.

RemediationAI

Upstream fix available (changeset 3423070); released patched version not independently confirmed. Apply upstream security patch from WordPress plugin repository immediately. Review changeset at https://plugins.trac.wordpress.org/changeset/3423070/file-uploader-for-woocommerce/trunk/src/Helpers/class-uploaderhelper.php for implementation details. If patched version cannot be verified, deactivate plugin until vendor confirmation of release version. Implement web application firewall rules blocking unauthenticated REST API requests to 'add-image-data' endpoint as interim mitigation. Audit server filesystem for unauthorized uploads in Uploadcare integration directories. Consult Wordfence advisory for additional context: https://www.wordfence.com/threat-intel/vulnerabilities/id/da0f0e1a-bbf8-42a5-b330-b53134488ebd?source=cve

More from same product – last 7 days

CVE-2026-7862 HIGH This Week POC

8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t

CVE-2026-8760 CRITICAL Act Now

9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic

CVE-2026-42727 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl

CVE-2026-42761 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH This Week

8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

CVE-2025-13329 vulnerability details – vuln.today

Back

WordPress CVE-2025-13329

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code