CVE-2025-11391
📋 TL;DR
The PPOM – Product Addons & Custom Fields for WooCommerce WordPress plugin has an arbitrary file upload vulnerability in its image cropper functionality. Unauthenticated attackers can upload malicious files to the server, potentially leading to remote code execution. Only users with the paid version installed and activated are affected, despite the vulnerable code being in the free version.
💻 Affected Systems
- PPOM – Product Addons & Custom Fields for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and website defacement.
Likely Case
Malicious file upload leading to backdoor installation, data exfiltration, or website disruption.
If Mitigated
File upload attempts blocked or logged with no successful exploitation.
🎯 Exploit Status
Simple file upload bypass with no authentication required makes exploitation trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 33.0.15
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find PPOM plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the PPOM plugin until patched.
wp plugin deactivate woocommerce-product-addon
Restrict file uploads via .htaccess
linuxBlock PHP and other executable file uploads in WordPress uploads directory.
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Deactivate the PPOM plugin immediately
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > PPOM version. If version is 33.0.15 or lower, you are vulnerable.Check Version:
wp plugin get woocommerce-product-addon --field=versionVerify Fix Applied:
Verify plugin version is higher than 33.0.15 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/ppom/
- POST requests to image cropper endpoints with non-image files
- Multiple failed upload attempts with executable extensions
Network Indicators:
- HTTP POST requests to /wp-content/plugins/woocommerce-product-addon/ with file uploads
- Traffic spikes to upload endpoints
SIEM Query:
source="web_logs" AND (uri="/wp-content/plugins/woocommerce-product-addon/" OR uri CONTAINS "ppom") AND method="POST" AND (file_extension="php" OR file_extension="phar" OR file_extension="phtml")🔗 References
- https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/inc/hooks.php#L45
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379431%40woocommerce-product-addon&new=3379431%40woocommerce-product-addon&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cf851bed-f5d8-44e2-810d-906ba3d3c1c5?source=cve
