CVE-2025-13329: WooCommerce File Uploader RCE Vulnerability

CVE-2025-13329 Overview

CVE-2025-13329 is a critical arbitrary file upload vulnerability affecting the File Uploader for WooCommerce plugin for WordPress. The vulnerability exists due to missing file type validation in the callback function for the add-image-data REST API endpoint in all versions up to, and including, 1.0.3. This security flaw allows unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server, potentially enabling remote code execution.

Critical Impact
Unauthenticated attackers can exploit this vulnerability to upload malicious files (such as PHP webshells) without any authentication, potentially gaining complete control of the affected WordPress installation and underlying server.

Affected Products

File Uploader for WooCommerce plugin for WordPress versions up to and including 1.0.3
WordPress sites using the vulnerable plugin with the REST API enabled
WooCommerce installations utilizing the File Uploader for WooCommerce plugin

Discovery Timeline

2025-12-20 - CVE CVE-2025-13329 published to NVD
2025-12-23 - Last updated in NVD database

Technical Details for CVE-2025-13329

Vulnerability Analysis

This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue stems from the plugin's failure to implement proper file type validation within the REST API endpoint handler. When a request is made to the add-image-data endpoint, the plugin processes uploaded file data without verifying that the file content matches an expected safe file type.

The attack chain involves uploading malicious files to the Uploadcare third-party service, which are then retrieved and stored on the vulnerable WordPress server. Since no validation occurs during either the upload or download phase, attackers can effectively place executable files (such as PHP scripts) directly on the target server's filesystem. This two-stage process circumvents any front-end protections and exploits the trust relationship between the plugin and the Uploadcare service.

Root Cause

The root cause of CVE-2025-13329 is the complete absence of file type validation logic within the callback function handling the add-image-data REST API endpoint. The plugin developers did not implement checks to verify:

The MIME type of uploaded files
The file extension against an allowlist of safe file types
The actual file content (magic bytes) to prevent MIME type spoofing

This oversight allows any file type to pass through the upload pipeline, including executable scripts that can compromise the server when accessed.

Attack Vector

The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying a WordPress site running the vulnerable File Uploader for WooCommerce plugin version 1.0.3 or earlier
Sending a crafted REST API request to the add-image-data endpoint containing a malicious file (e.g., a PHP webshell)
The plugin processes the request and stores the malicious file via the Uploadcare service integration
The attacker then triggers the download of the malicious file to the WordPress server's filesystem
Once stored, the attacker accesses the uploaded file directly through a web request, executing arbitrary code

The vulnerability requires no special privileges and can be exploited remotely by any attacker with network access to the target WordPress installation.

Detection Methods for CVE-2025-13329

Indicators of Compromise

Unexpected PHP, HTML, or executable files appearing in WordPress upload directories or plugin-related folders
Suspicious REST API requests to the add-image-data endpoint from unknown or external IP addresses
Unexplained connections to Uploadcare service URLs followed by local file creation events
New or modified files with recent timestamps in plugin directories that don't correspond to legitimate updates

Detection Strategies

Monitor WordPress REST API logs for requests targeting the /wp-json/ endpoints related to the File Uploader for WooCommerce plugin
Implement file integrity monitoring (FIM) to detect unauthorized file creation in web-accessible directories
Deploy web application firewall (WAF) rules to inspect and block requests containing executable file signatures to REST API endpoints
Review server access logs for sequential patterns of API requests followed by direct file access attempts

Monitoring Recommendations

Enable verbose logging for the WordPress REST API and regularly audit logs for anomalous activity
Configure alerts for file upload events involving executable file extensions (.php, .phtml, .phar, etc.)
Monitor outbound connections to Uploadcare services and correlate with file system changes
Implement runtime application self-protection (RASP) to detect and block code execution from uploaded files

How to Mitigate CVE-2025-13329

Immediate Actions Required

Update the File Uploader for WooCommerce plugin to a patched version immediately if one is available
If no patch is available, deactivate and remove the File Uploader for WooCommerce plugin until a fix is released
Conduct a thorough audit of the WordPress filesystem to identify and remove any potentially malicious files
Review server and WordPress logs for evidence of exploitation attempts
Implement WAF rules to block requests to the vulnerable add-image-data endpoint as a temporary measure

Patch Information

Organizations should monitor the WordPress Plugin Repository and the Wordfence Vulnerability Report for official patch releases. Until a patch is available, the plugin should be disabled to prevent exploitation.

Workarounds

Disable the File Uploader for WooCommerce plugin entirely until a security patch is available
Implement strict file type validation at the web server level (Apache/Nginx) to reject executable file uploads
Use a Web Application Firewall (WAF) to filter and block malicious requests targeting the vulnerable REST API endpoint
Restrict REST API access to authenticated users only using WordPress security plugins or server-level access controls

bash

# Example Nginx configuration to block executable uploads
location ~* /wp-json/.*add-image-data {
    # Temporarily block access to vulnerable endpoint
    deny all;
    return 403;
}

# Alternative: Block execution of PHP files in upload directories
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
    return 403;
}

CVE-2025-13329 Overview

Critical Impact
Unauthenticated attackers can exploit this vulnerability to upload malicious files (such as PHP webshells) without any authentication, potentially gaining complete control of the affected WordPress installation and underlying server.

Affected Products

File Uploader for WooCommerce plugin for WordPress versions up to and including 1.0.3
WordPress sites using the vulnerable plugin with the REST API enabled
WooCommerce installations utilizing the File Uploader for WooCommerce plugin

Discovery Timeline

2025-12-20 - CVE CVE-2025-13329 published to NVD
2025-12-23 - Last updated in NVD database

Technical Details for CVE-2025-13329

Vulnerability Analysis

Root Cause

The MIME type of uploaded files
The file extension against an allowlist of safe file types
The actual file content (magic bytes) to prevent MIME type spoofing

This oversight allows any file type to pass through the upload pipeline, including executable scripts that can compromise the server when accessed.

Attack Vector

The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Identifying a WordPress site running the vulnerable File Uploader for WooCommerce plugin version 1.0.3 or earlier
Sending a crafted REST API request to the add-image-data endpoint containing a malicious file (e.g., a PHP webshell)
The plugin processes the request and stores the malicious file via the Uploadcare service integration
The attacker then triggers the download of the malicious file to the WordPress server's filesystem
Once stored, the attacker accesses the uploaded file directly through a web request, executing arbitrary code

The vulnerability requires no special privileges and can be exploited remotely by any attacker with network access to the target WordPress installation.

Detection Methods for CVE-2025-13329

Indicators of Compromise

Unexpected PHP, HTML, or executable files appearing in WordPress upload directories or plugin-related folders
Suspicious REST API requests to the add-image-data endpoint from unknown or external IP addresses
Unexplained connections to Uploadcare service URLs followed by local file creation events
New or modified files with recent timestamps in plugin directories that don't correspond to legitimate updates

Detection Strategies

Monitor WordPress REST API logs for requests targeting the /wp-json/ endpoints related to the File Uploader for WooCommerce plugin
Implement file integrity monitoring (FIM) to detect unauthorized file creation in web-accessible directories
Deploy web application firewall (WAF) rules to inspect and block requests containing executable file signatures to REST API endpoints
Review server access logs for sequential patterns of API requests followed by direct file access attempts

Monitoring Recommendations

Enable verbose logging for the WordPress REST API and regularly audit logs for anomalous activity
Configure alerts for file upload events involving executable file extensions (.php, .phtml, .phar, etc.)
Monitor outbound connections to Uploadcare services and correlate with file system changes
Implement runtime application self-protection (RASP) to detect and block code execution from uploaded files

How to Mitigate CVE-2025-13329

Immediate Actions Required

Update the File Uploader for WooCommerce plugin to a patched version immediately if one is available
If no patch is available, deactivate and remove the File Uploader for WooCommerce plugin until a fix is released
Conduct a thorough audit of the WordPress filesystem to identify and remove any potentially malicious files
Review server and WordPress logs for evidence of exploitation attempts
Implement WAF rules to block requests to the vulnerable add-image-data endpoint as a temporary measure

Patch Information

Workarounds

Disable the File Uploader for WooCommerce plugin entirely until a security patch is available
Implement strict file type validation at the web server level (Apache/Nginx) to reject executable file uploads
Use a Web Application Firewall (WAF) to filter and block malicious requests targeting the vulnerable REST API endpoint
Restrict REST API access to authenticated users only using WordPress security plugins or server-level access controls

bash

# Example Nginx configuration to block executable uploads
location ~* /wp-json/.*add-image-data {
    # Temporarily block access to vulnerable endpoint
    deny all;
    return 403;
}

# Alternative: Block execution of PHP files in upload directories
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
    return 403;
}

CVE-2025-13329: WooCommerce File Uploader RCE Vulnerability

CVE-2025-13329 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-13329

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-13329

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-13329

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-13329: WooCommerce File Uploader RCE Vulnerability

CVE-2025-13329 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-13329

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-13329

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-13329

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform