CVE-2025-62078
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Fahad Mahmood Easy Upload Files During Checkout easy-upload-files-during-checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Upload Files During Checkout: from n/a through <= 3.0.0.
Analysis
Missing authorization in the Easy Upload Files During Checkout WordPress plugin through version 3.0.0 allows unauthenticated attackers to exploit incorrectly configured access controls to bypass security restrictions and upload files. The vulnerability, classified as a broken access control flaw (CWE-862), affects the plugin's core file upload functionality during checkout operations. While EPSS scoring indicates very low exploitation probability (0.01%, 2nd percentile), the absence of CVSS data and patch version information limits quantification of attack complexity and remediation specificity.
Technical Context
The Easy Upload Files During Checkout plugin is a WordPress extension that enables file uploads as part of e-commerce checkout workflows. The vulnerability stems from improper implementation of access control checks in the upload handler, allowing requests to bypass authentication or authorization validation. CWE-862 (Missing Authorization) indicates the plugin fails to verify that users have appropriate permissions before granting access to file upload functionality. This is distinct from broken authentication; the application may correctly identify users but fails to enforce role-based or capability-based restrictions on who can trigger uploads. WordPress plugins are typically executed in the context of the WP-REST API or AJAX handlers, meaning the vulnerability likely exists in an endpoint that processes file uploads without proper nonce verification, capability checks, or user role validation.
Affected Products
The Easy Upload Files During Checkout WordPress plugin (WordPress plugin: easy-upload-files-during-checkout) is affected in all versions from the plugin's release through version 3.0.0 inclusive. CPE data is not independently available in standard public repositories for this plugin; however, the vulnerability is documented in the Patchstack vulnerability database. The plugin is distributed via the WordPress.org plugin repository and functions as a checkout enhancement for e-commerce platforms using WooCommerce or similar WordPress-based checkout systems. No higher patched version has been explicitly mentioned in available intelligence.
Remediation
The primary remediation is to update the Easy Upload Files During Checkout plugin to a version newer than 3.0.0 once released by the vendor. As of this analysis, specific patched version numbers have not been confirmed in the provided intelligence. Users should immediately check the WordPress plugin dashboard or Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/easy-upload-files-during-checkout) for available updates. As an interim workaround pending patch availability, restrict file upload functionality to authenticated users only via WordPress capability checks, verify nonce tokens on all upload endpoints, and implement role-based access controls limiting uploads to trusted user roles (e.g., administrators or specific customer roles). Disable the plugin entirely if file uploads are non-critical to business operations until a patched version is confirmed.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today