CVE-2025-2780
📋 TL;DR
The Woffice Core plugin for WordPress has a vulnerability that allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. All WordPress sites using Woffice Core plugin versions up to 5.4.21 are vulnerable.
💻 Affected Systems
- Woffice Core WordPress Plugin
- Woffice Theme
📦 What is this software?
Woffice by Xtendify
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the WordPress server through remote code execution, potentially compromising the entire hosting environment and exfiltrating sensitive data.
Likely Case
Attackers upload web shells or malicious scripts to establish persistent access, deface websites, or use the server for further attacks.
If Mitigated
With proper file upload restrictions and web application firewalls, attackers may only be able to upload harmless files that don't execute.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in a publicly documented function with clear attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.22
Vendor Advisory: https://hub.woffice.io/woffice/changelog#april-1st-2025-version-5422
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Woffice Core plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.4.22+ from official repository and manually update.
🔧 Temporary Workarounds
Restrict File Uploads via .htaccess
allBlock execution of uploaded files in upload directories
Add to .htaccess in wp-content/uploads/: <FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Temporary Plugin Deactivation
allDisable Woffice Core plugin until patched
wp plugin deactivate woffice-core
Or deactivate via WordPress admin panel
🧯 If You Can't Patch
- Implement strict file upload restrictions at web server level
- Restrict Subscriber role permissions or require higher authentication for file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Woffice Core → Version number. If version is 5.4.21 or lower, system is vulnerable.Check Version:
wp plugin get woffice-core --field=versionVerify Fix Applied:
Verify Woffice Core plugin version is 5.4.22 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/ directory
- POST requests to /wp-admin/admin-ajax.php with action=saveFeaturedImage
- Uploads of executable file types (.php, .phar, .phtml)
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin endpoints from unexpected sources
SIEM Query:
source="wordpress.log" AND ("saveFeaturedImage" OR "upload" AND ("php" OR "phar" OR "phtml"))