CVE-2025-2941
📋 TL;DR
This vulnerability allows unauthenticated attackers to move arbitrary files on WordPress servers running the vulnerable Drag and Drop Multiple File Upload for WooCommerce plugin. By exploiting insufficient path validation, attackers can relocate critical files like wp-config.php, potentially leading to remote code execution. All WordPress sites using this plugin up to version 1.1.4 are affected.
💻 Affected Systems
- Drag and Drop Multiple File Upload for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and website defacement.
Likely Case
File manipulation leading to configuration exposure, privilege escalation, or denial of service.
If Mitigated
Limited impact if file permissions restrict movement or web server runs with minimal privileges.
🎯 Exploit Status
Simple HTTP request manipulation required. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.5
Vendor Advisory: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Drag and Drop Multiple File Upload for WooCommerce'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.1.5+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate drag-and-drop-multiple-file-upload-for-woocommerce
Restrict file permissions
linuxSet restrictive permissions on wp-config.php and other sensitive files
chmod 400 wp-config.php
chown root:root wp-config.php
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing 'wc-upload-file[]' parameter
- Disable the plugin entirely and use alternative file upload solutions
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.1.4 or lower, you are vulnerable.Check Version:
wp plugin get drag-and-drop-multiple-file-upload-for-woocommerce --field=versionVerify Fix Applied:
Confirm plugin version shows 1.1.5 or higher after update. Test file upload functionality still works normally.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'wc-upload-file[]' parameter with suspicious file paths
- File modification events on wp-config.php or other sensitive files
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with file movement parameters
- Unusual file upload patterns
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND params CONTAINS "wc-upload-file")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3266697%40drag-and-drop-multiple-file-upload-for-woocommerce&new=3266697%40drag-and-drop-multiple-file-upload-for-woocommerce&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2685a2b4-aba3-425b-af0d-06f7693ab3d7?source=cve
