WordPress
CVE-2025-29009
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce medical-prescription-attachment-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Medical Prescription Attachment Plugin for WooCommerce: from n/a through <= 1.2.3.
AnalysisAI
Unrestricted file upload vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce through version 1.2.3 allows attackers to upload web shells to the server, enabling remote code execution. The plugin fails to properly validate uploaded file types, permitting dangerous executable files to be stored in web-accessible directories. No CVSS score or public exploit code has been published; however, the low EPSS score (0.11%, 29th percentile) suggests minimal exploitation probability despite the high intrinsic severity of arbitrary file upload to WordPress environments.
Technical ContextAI
This vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic WordPress plugin weakness where user-supplied file uploads bypass adequate type validation. The Medical Prescription Attachment Plugin for WooCommerce, deployed as a WordPress plugin extending WooCommerce functionality for medical prescription management, accepts file uploads without sufficiently restricting file extensions or MIME types. Attackers can exploit this to upload PHP, JSP, ASPX, or other executable files that the web server will process, leading to arbitrary code execution in the context of the WordPress application. The vulnerability affects the plugin's core upload handling mechanism, likely in request handlers that process prescription attachments without whitelisting safe file types or enforcing content-based validation.
Affected ProductsAI
Webkul Medical Prescription Attachment Plugin for WooCommerce versions up to and including 1.2.3. The plugin is deployed as a WordPress plugin component extending WooCommerce e-commerce and prescription management functionality. No specific CPE identifier for this WordPress plugin is available in the provided data; affected installations are identified by plugin slug 'medical-prescription-attachment-plugin-for-woocommerce' and active versions <= 1.2.3. Detailed vulnerability information is available via the Patchstack WordPress vulnerability database reference.
RemediationAI
Update Webkul Medical Prescription Attachment Plugin for WooCommerce to version 1.2.4 or later, which should include fixes for file upload validation. Administrators should immediately deactivate and remove the vulnerable plugin if patched versions are not available, or implement temporary controls by restricting upload endpoint access via Web Application Firewall (WAF) rules to authenticated users only if functional requirements permit. Additionally, scan the server for suspicious files in WordPress plugin upload directories (typically wp-content/uploads/) for signs of web shell implantation using file integrity monitoring or security plugins. Consult the Patchstack vulnerability database for updated patch availability and specific version release notes at https://patchstack.com/database/Wordpress/Plugin/medical-prescription-attachment-plugin-for-woocommerce/vulnerability/wordpress-medical-prescription-attachment-plugin-for-woocommerce-1-2-3-arbitrary-file-upload-vulnerability.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today