CVE-2025-10412 Overview
CVE-2025-10412 is a critical arbitrary file upload vulnerability affecting the Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress. The vulnerability exists due to misconfigured file type validation in the uni_cpo_upload_file function, allowing unauthenticated attackers to upload arbitrary files to the affected site's server, which may enable remote code execution.
Critical Impact
Unauthenticated attackers can upload malicious files including PHP web shells to achieve remote code execution on vulnerable WordPress installations without any authentication required.
Affected Products
- Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) versions up to and including 4.9.54
- WordPress sites running vulnerable Uni CPO plugin versions
- WooCommerce installations with Uni CPO integration
Discovery Timeline
- 2025-09-23 - CVE-2025-10412 published to NVD
- 2025-09-24 - Last updated in NVD database
Technical Details for CVE-2025-10412
Vulnerability Analysis
This vulnerability falls under CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue resides in the uni_cpo_upload_file function which handles file uploads for product customization options. The function fails to properly validate uploaded file types, allowing attackers to bypass intended restrictions and upload executable files such as PHP scripts.
The network-accessible nature of this vulnerability means it can be exploited remotely without any authentication or user interaction. An attacker can craft a malicious request to the file upload endpoint, submitting a PHP web shell disguised or directly uploaded through the misconfigured validation logic.
Root Cause
The root cause is improper file type validation within the uni_cpo_upload_file function. The plugin's file upload mechanism does not adequately verify or restrict the types of files that can be uploaded, failing to implement proper server-side validation of file extensions and MIME types. This misconfiguration allows dangerous file types like .php to be uploaded and subsequently executed by the web server.
Attack Vector
The attack vector is network-based and requires no authentication or privileges. An attacker can exploit this vulnerability by:
- Identifying a WordPress site running a vulnerable version of the Uni CPO plugin
- Crafting a specially formed HTTP request to the file upload endpoint
- Bypassing the misconfigured file type validation to upload a malicious PHP file (web shell)
- Accessing the uploaded file directly to execute arbitrary PHP code on the server
The vulnerability allows unauthenticated remote attackers to gain complete control over the WordPress installation and potentially the underlying server, depending on the server configuration and permissions.
Detection Methods for CVE-2025-10412
Indicators of Compromise
- Unexpected PHP files appearing in WordPress upload directories, particularly within Uni CPO-related folders
- Web server access logs showing requests to unusual file paths within upload directories
- Presence of files with suspicious names or double extensions (e.g., image.php.jpg or shell.php)
- Outbound network connections originating from the web server to unknown destinations
Detection Strategies
- Monitor file system changes in WordPress upload directories for newly created executable files
- Implement Web Application Firewall (WAF) rules to detect and block file upload attacks targeting the uni_cpo_upload_file endpoint
- Review web server logs for POST requests to plugin upload handlers containing suspicious payloads
- Deploy endpoint detection solutions to identify web shell signatures and behaviors
Monitoring Recommendations
- Enable file integrity monitoring on WordPress installations to detect unauthorized file changes
- Configure alerting for any new PHP file creation in upload directories
- Monitor for unusual process execution spawned by the web server process (e.g., www-data spawning bash or cmd)
- Review authentication logs for any suspicious activity following potential exploitation
How to Mitigate CVE-2025-10412
Immediate Actions Required
- Update the Uni CPO (Premium) plugin to a version newer than 4.9.54 that addresses this vulnerability
- If an update is not immediately available, disable the Uni CPO plugin until a patch is released
- Review upload directories for any suspicious or unexpected files and remove them
- Implement WAF rules to restrict file uploads to safe file types only
Patch Information
Organizations should update the Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin to the latest available version. Consult the Builderius CPO Overview for official updates and patch information. The Wordfence Vulnerability Report provides additional details on this vulnerability and remediation guidance.
Workarounds
- Temporarily disable the Uni CPO plugin if updates cannot be applied immediately
- Implement server-level restrictions to prevent execution of PHP files in upload directories using .htaccess or web server configuration
- Configure a Web Application Firewall to block requests containing potentially malicious file upload payloads
- Restrict access to WordPress admin and plugin endpoints using IP allowlisting where feasible
# Apache .htaccess configuration to prevent PHP execution in uploads directory
# Place this file in wp-content/uploads/
<FilesMatch "\.(?:php|phtml|php3|php4|php5|php7|phps)$">
Order Deny,Allow
Deny from all
</FilesMatch>
# Alternative: Disable script execution entirely
<Directory "/var/www/html/wp-content/uploads">
php_admin_flag engine Off
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
