CVE-2025-10412
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress servers running the Uni CPO plugin. Attackers can potentially achieve remote code execution by uploading malicious files. All WordPress sites using Uni CPO plugin versions up to 4.9.54 are affected.
💻 Affected Systems
- Uni CPO - Product Options and Price Calculation Formulas for WooCommerce (Premium)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through remote code execution, leading to data theft, ransomware deployment, or website defacement.
Likely Case
Attackers upload web shells to gain persistent access, install malware, or use the server for malicious activities.
If Mitigated
File uploads blocked, but attackers may still attempt exploitation attempts visible in logs.
🎯 Exploit Status
Unauthenticated exploitation with simple file upload bypass. Weaponization likely due to high CVSS score and WordPress plugin popularity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.55 or later
Vendor Advisory: https://builderius.io/cpo/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Uni CPO plugin. 4. Click 'Update Now' if update available. 5. If no update shows, download version 4.9.55+ from vendor site and manually update.
🔧 Temporary Workarounds
Disable Uni CPO Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate uni-cpo
Web Application Firewall Rule
allBlock requests to uni_cpo_upload_file endpoint
🧯 If You Can't Patch
- Implement strict file upload restrictions at web server level
- Deploy web application firewall with specific rules blocking Uni CPO file upload endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Uni CPO → Version number. If version is 4.9.54 or lower, system is vulnerable.Check Version:
wp plugin list --name=uni-cpo --field=versionVerify Fix Applied:
Confirm Uni CPO plugin version is 4.9.55 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=uni_cpo_upload_file
- Unusual file uploads to uploads/uni_cpo directory
- PHP or executable files in upload directories
Network Indicators:
- HTTP POST requests containing 'uni_cpo_upload_file' parameter
- File uploads with unusual extensions (.php, .phtml, .exe) to WordPress endpoints
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND post_data="uni_cpo_upload_file"