Skip to main content

File Uploader for WooCommerce CVE-2026-25397

| EUVDEUVD-2026-15709 HIGH
Path Traversal: '.../...//' (CWE-35)
2026-03-25 Patchstack
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 02:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15709
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4.

AnalysisAI

Unauthenticated path traversal in File Uploader for WooCommerce plugin (versions ≤1.0.4) allows remote attackers to read arbitrary files from the WordPress server via malformed file path sequences ('.../...//'). The vulnerability permits high-impact confidentiality breach through network-accessible endpoints without authentication, potentially exposing wp-config.php, database credentials, and other sensitive server files. EPSS score of 0.03% suggests low observed exploitation probability despite the critical CVSS 7.5 rating, and SSVC assessment confirms no active exploitation at time of analysis. Reported by Patchstack, this WordPress plugin vulnerability affects installations where the file upload functionality processes user-controlled path inputs without proper sanitization.

Technical ContextAI

This vulnerability exploits a path traversal weakness (CWE-35) in the File Uploader for WooCommerce WordPress plugin's file handling mechanisms. The specific attack vector uses a variant path traversal sequence ('.../...//' instead of standard '../') to bypass inadequate input validation. Affected product identified by CPE cpe:2.3:a:snowray_software:file_uploader_for_woocommerce:*:*:*:*:*:*:*:* indicates all versions through 1.0.4 are vulnerable. The plugin likely processes file upload or retrieval requests without normalizing paths or validating against directory traversal patterns beyond standard dot-dot-slash sequences. This allows attackers to escape intended upload/download directories and access arbitrary files readable by the web server process, typically www-data or nginx user. WordPress plugins handling file operations are particularly susceptible when they construct file paths by concatenating user input without canonicalization or whitelist validation against allowed directories.

RemediationAI

Primary remediation is upgrading File Uploader for WooCommerce to version 1.0.5 or later if Snowray Software has released a patched version addressing CVE-2026-25397 (verify current version availability at https://patchstack.com/database/Wordpress/Plugin/file-uploader-for-woocommerce/vulnerability/wordpress-file-uploader-for-woocommerce-plugin-1-0-4-path-traversal-vulnerability). If no patched version exists, immediately disable or uninstall the plugin until vendor fix is available - consult WooCommerce documentation for alternative file upload solutions that maintain business functionality. Compensating controls for organizations unable to remove the plugin: restrict plugin access to authenticated administrator roles only via WordPress capability management (reduces attack surface from AV:N/PR:N to PR:H, though does not eliminate vulnerability), implement web application firewall rules blocking requests containing '.../' patterns in file path parameters (may cause false positives for legitimate filenames), and enable restrictive file permissions on sensitive WordPress configuration files (chmod 400 wp-config.php) to limit read access even if traversal succeeds. Review web server access logs for suspicious file access patterns targeting configuration files as potential indicators of exploitation attempts. Note that WAF-based mitigations may be bypassed through encoding variations and should not substitute for patching.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-25397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy