CVE-2025-4387 Overview
CVE-2025-4387 is an authenticated arbitrary file upload vulnerability in the Abandoned Cart Pro for WooCommerce plugin by Tyche Softwares. The flaw resides in the wcap_add_to_cart_popup_upload_files function, which fails to validate uploaded file types. All plugin versions up to and including 9.16.0 are affected. Attackers with subscriber-level access or higher can upload arbitrary files, including executable PHP scripts, to the server. Depending on server configuration, successful exploitation leads to remote or local code execution on the WordPress host. The weakness is classified as [CWE-434] Unrestricted Upload of File with Dangerous Type.
Critical Impact
An authenticated subscriber can upload arbitrary files that may execute as code, resulting in full site compromise.
Affected Products
- Abandoned Cart Pro for WooCommerce plugin (Tyche Softwares)
- All versions up to and including 9.16.0
- WordPress sites running WooCommerce with this plugin enabled
Discovery Timeline
- 2025-06-10 - CVE-2025-4387 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-4387
Vulnerability Analysis
The Abandoned Cart Pro for WooCommerce plugin exposes the wcap_add_to_cart_popup_upload_files AJAX handler to authenticated users. The handler accepts file uploads tied to the abandoned cart popup feature but omits validation of file extension, MIME type, and content. This violation of secure upload practices allows any authenticated WordPress user, including a subscriber, to submit arbitrary file content under attacker-controlled filenames.
The vulnerability is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type. Because WordPress assigns subscriber roles to anyone who self-registers when registration is enabled, the practical attack surface is broad. Successful uploads land within the WordPress uploads directory tree, where PHP execution is often permitted by default Apache or Nginx configurations.
Root Cause
The root cause is missing server-side validation in wcap_add_to_cart_popup_upload_files. The function does not enforce an allowlist of permitted MIME types or extensions, does not verify file content via magic-byte inspection, and does not rename or sanitize uploaded files. Client-side restrictions, if any, can be trivially bypassed by submitting crafted multipart requests directly to the AJAX endpoint.
Attack Vector
An attacker first authenticates to a vulnerable WordPress site using subscriber-level credentials. They then issue a POST request to the AJAX action exposed by the plugin, attaching a malicious PHP file as the upload payload. Once the file is written under wp-content/uploads/, the attacker requests the file via HTTP. The web server executes the PHP, yielding code execution under the web server user context. From there, attackers commonly deploy webshells, harvest credentials from wp-config.php, and pivot deeper into the host. Technical details are documented in the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-4387
Indicators of Compromise
- Files with executable extensions (.php, .phtml, .phar) present under wp-content/uploads/ directories used by the Abandoned Cart Pro plugin.
- POST requests to admin-ajax.php with the wcap_add_to_cart_popup_upload_files action originating from low-privilege user sessions.
- New or unexpected subscriber account registrations followed shortly by file upload activity.
- Outbound connections from the web server to unfamiliar hosts after upload events, indicative of webshell callbacks.
Detection Strategies
- Inspect web server access logs for AJAX requests invoking the vulnerable action, correlated with multipart/form-data payloads.
- Scan WordPress upload directories for files whose extension or content does not match expected media types.
- Monitor PHP process execution chains where php-fpm or Apache mod_php spawns shells, file writes, or network utilities.
- Alert on creation of administrative WordPress users shortly after suspicious upload activity.
Monitoring Recommendations
- Enable file integrity monitoring on wp-content/uploads/ and plugin directories.
- Forward WordPress and web server logs to a centralized analytics platform for correlation with endpoint telemetry.
- Track subscriber registration spikes and any abnormal AJAX activity from non-administrative accounts.
How to Mitigate CVE-2025-4387
Immediate Actions Required
- Upgrade Abandoned Cart Pro for WooCommerce to version 9.17.0 or later, per the Tyche Software Changelog.
- Audit existing subscriber accounts and remove any that are unrecognized or recently created.
- Search WordPress upload directories for unauthorized PHP files and remove them.
- Rotate WordPress secrets and database credentials if compromise is suspected.
Patch Information
Tyche Softwares addressed the issue in Abandoned Cart Pro for WooCommerce version 9.17.0. The fix introduces file type validation in the wcap_add_to_cart_popup_upload_files function. Site administrators should apply the update through the WordPress plugin manager or download the latest release directly from the Tyche Software Product Page.
Workarounds
- Disable the Abandoned Cart Pro for WooCommerce plugin until patching is complete.
- Disable open WordPress user registration (Settings > General > Membership) to reduce the pool of authenticated attackers.
- Configure the web server to deny PHP execution within wp-content/uploads/ using directory-level rules.
- Place a web application firewall rule in front of the site to block POST requests to the vulnerable AJAX action.
# Configuration example: deny PHP execution under wp-content/uploads (Apache)
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
