Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4.
AnalysisAI
Unauthenticated path traversal in File Uploader for WooCommerce plugin (versions ≤1.0.4) allows remote attackers to read arbitrary files from the WordPress server via malformed file path sequences ('.../...//'). The vulnerability permits high-impact confidentiality breach through network-accessible endpoints without authentication, potentially exposing wp-config.php, database credentials, and other sensitive server files. EPSS score of 0.03% suggests low observed exploitation probability despite the critical CVSS 7.5 rating, and SSVC assessment confirms no active exploitation at time of analysis. Reported by Patchstack, this WordPress plugin vulnerability affects installations where the file upload functionality processes user-controlled path inputs without proper sanitization.
Technical ContextAI
This vulnerability exploits a path traversal weakness (CWE-35) in the File Uploader for WooCommerce WordPress plugin's file handling mechanisms. The specific attack vector uses a variant path traversal sequence ('.../...//' instead of standard '../') to bypass inadequate input validation. Affected product identified by CPE cpe:2.3:a:snowray_software:file_uploader_for_woocommerce:*:*:*:*:*:*:*:* indicates all versions through 1.0.4 are vulnerable. The plugin likely processes file upload or retrieval requests without normalizing paths or validating against directory traversal patterns beyond standard dot-dot-slash sequences. This allows attackers to escape intended upload/download directories and access arbitrary files readable by the web server process, typically www-data or nginx user. WordPress plugins handling file operations are particularly susceptible when they construct file paths by concatenating user input without canonicalization or whitelist validation against allowed directories.
RemediationAI
Primary remediation is upgrading File Uploader for WooCommerce to version 1.0.5 or later if Snowray Software has released a patched version addressing CVE-2026-25397 (verify current version availability at https://patchstack.com/database/Wordpress/Plugin/file-uploader-for-woocommerce/vulnerability/wordpress-file-uploader-for-woocommerce-plugin-1-0-4-path-traversal-vulnerability). If no patched version exists, immediately disable or uninstall the plugin until vendor fix is available - consult WooCommerce documentation for alternative file upload solutions that maintain business functionality. Compensating controls for organizations unable to remove the plugin: restrict plugin access to authenticated administrator roles only via WordPress capability management (reduces attack surface from AV:N/PR:N to PR:H, though does not eliminate vulnerability), implement web application firewall rules blocking requests containing '.../' patterns in file path parameters (may cause false positives for legitimate filenames), and enable restrictive file permissions on sensitive WordPress configuration files (chmod 400 wp-config.php) to limit read access even if traversal succeeds. Review web server access logs for suspicious file access patterns targeting configuration files as potential indicators of exploitation attempts. Note that WAF-based mitigations may be bypassed through encoding variations and should not substitute for patching.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-35 – Path Traversal: '.../...//'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15709