CVE-2025-13329 — Unauthenticated Arbitrary File Upload in File Uploader for WooCommerce (≤ 1.0.3)

日期： 24 Dec 2025
严重性： High / CVSS 10.0
易受攻击的版本： File Uploader for WooCommerce plugin ≤ 1.0.3
CVE： CVE-2025-13329

As Hong Kong security experts monitoring WordPress threats, we provide the following technical analysis and operational guidance for CVE-2025-13329 — an unauthenticated arbitrary file upload vulnerability affecting the File Uploader for WooCommerce plugin (versions up to and including 1.0.3). The flaw permits unauthenticated attackers to upload arbitrary files (including PHP webshells) to web-accessible locations. Exploitation is straightforward and can lead to full site compromise.

执行摘要

• 什么： Unauthenticated arbitrary file upload via the plugin endpoint (commonly referenced as add-image-data).
• Who: Any unauthenticated user can trigger the vulnerable endpoint on sites running affected plugin versions.
• 影响： Upload and execution of arbitrary files (e.g., PHP webshells) enabling remote code execution, persistence, data exfiltration, and site takeover.
• 严重性： High (CVSS 10.0). Immediate mitigation is strongly recommended.
• Immediate actions: Remove or disable the plugin, block the vulnerable endpoint, scan for indicators of compromise, and follow incident response steps if suspicious activity is discovered.

What exactly is the vulnerability?

This is an unauthenticated arbitrary file upload vulnerability. The plugin exposes an endpoint (add-image-data or similarly named) that accepts uploaded files. In affected versions, the endpoint:

• does not enforce proper authentication or capability checks (no nonce or capability verification),
• does not validate file contents and extensions robustly,
• writes uploaded files directly into web-accessible directories using attacker-controlled names and extensions,
• and lacks server-side checks to prevent uploading of executable file types (e.g., .php, .phtml, files with double extensions).

The combination of unauthenticated access and insufficient validation enables attackers to upload backdoors and execute arbitrary PHP code on the server.

How attackers can abuse this (high-level)

An attacker can POST a file payload to the vulnerable endpoint and save a file such as shell.php into wp-content/uploads or another web-accessible location. After upload, the attacker can execute the file via HTTP, gaining remote code execution with the privileges of the web server user.

Post-exploitation objectives commonly include:

• Deploying a PHP webshell for interactive control.
• Planting persistent backdoors for long-term access.
• Executing commands to enumerate or exfiltrate data (database dumps, configuration files).
• Installing cryptominers, ransomware, or other malware.
• Pivoting to other sites on the same server or to internal resources.

Because the endpoint is unauthenticated, widespread scanning and opportunistic exploitation are likely shortly after disclosure.

Indicators of Compromise (IoCs) and what to look for

During investigation, check for the following signs:

1. New files in uploads or plugin directories:
   • Unexpected .php, .phtml, .phar, .pl, .jsp, .sh files under wp-content/uploads or other web-accessible directories.
   • Files with double extensions (e.g., image.jpg.php, shell.png.jpeg.php).
   • Files with random or benign-looking names (e.g., 20251224_invoice.php).
2. Suspicious HTTP requests in access logs:
   • POST requests to URLs containing plugin path segments and add-image-data (or similar).
   • Multipart/form-data uploads to the endpoint from unknown IPs.
   • Requests with unusual or absent User-Agent headers.
3. Webserver error logs:
   • PHP Fatal 或 PHP Warning entries associated with uploaded file execution.
   • Unusual filesystem warnings followed by successful writes to new files.
4. Outbound traffic anomalies:
   • Increased outbound connections to suspicious hosts or known C2 infrastructure.
   • Unusual DNS lookups originating from the server.
5. Suspicious changes in WordPress administration:
   • New administrative users added without authorization.
   • Unauthorized plugin/theme file modifications or changes to settings.
6. File integrity monitoring alerts:
   • Unexpected file hash changes in core, themes, or plugins.

If any of the above indicators are present, treat the site as potentially compromised and proceed with containment, investigation, and remediation.

Immediate mitigation steps (site owners)

When a critical unauthenticated upload is disclosed, act quickly. Prioritize containment:

1. 限制访问： Put the site into maintenance/offline mode or restrict access by IP while investigating.
2. Disable or remove the plugin:
   • If you can access WP admin, deactivate and remove the plugin immediately.
   • If admin is inaccessible, remove or rename the plugin directory via SFTP/SSH: wp-content/plugins/file-uploader-for-woocommerce → rename to file-uploader-for-woocommerce.disabled.
3. Block the vulnerable endpoint:
   • Configure your web application firewall (WAF) or server to block POST requests to the vulnerable endpoint (for example, requests to /wp-admin/admin-ajax.php?action=add-image-data or the plugin’s upload path).
   • Disallow multipart/form-data uploads to that endpoint unless they include a valid nonce/CSRF token or originate from trusted IPs.
4. Search for and remove web shells:
   • Scan wp-content/uploads and plugin directories for .php and other unexpected file types.
   • Example command:

     find wp-content/uploads -type f -iname "*.php"

   • Quarantine or remove suspicious files after confirming maliciousness; if unsure, preserve copies for forensic analysis.
5. Rotate credentials:
   • Rotate WordPress admin passwords, database credentials, FTP/SFTP/SSH passwords, and any exposed API keys.
   • Revoke and replace SSH keys if exposure is suspected.
6. Restore from clean backup:
   • If compromise is confirmed, restore from a known clean backup created prior to the incident.
   • After restoring, reapply mitigations (disable plugin, block endpoint) before reconnecting fully to the internet.
7. 通知利益相关者：
   • Inform your hosting provider and internal teams involved in site management.
   • If sensitive data may have been exposed, follow legal and regulatory notification requirements.

Suggested virtual-patch rules (examples)

Below are example defensive rules you can implement in a WAF or server configuration to virtual-patch the issue until an official plugin fix is available. Adapt to your WAF/IDS syntax and test in detection mode before blocking.

1. Block unauthenticated POSTs to the vulnerable endpoint

   Rationale: The endpoint should require authentication/nonce; blocking unauthenticated POSTs mitigates exploitation.

   Example (pseudo-rule): If request.method == POST AND request.uri contains “add-image-data” AND request does not include valid nonce OR cookie shows not logged in THEN block.

2. Block uploads with executable extensions

   Rationale: Prevent direct upload and execution of PHP or other executable files.

   Example (regex): If request.body contains filename matching /\.(php|phtml|phar|pl|cgi|asp|aspx|jsp|sh|exe)(\b|$)/i THEN block.

3. Block double-extension filenames

   Rationale: Attackers use image.jpg.php or image.php.jpg to bypass naive checks.

   Example (regex): If filename matches /\.(?:[^.]+)\.(?:php|phtml|phar|pl|cgi|asp|aspx|jsp|sh)$/i THEN block.

4. Block content-type mismatches

   Rationale: If a file is submitted as image/* but file magic indicates PHP, block the request.

   Example: If Content-Type starts with “image/” AND file magic header indicates PHP (<?php) THEN block.

5. Rate-limit uploads

   Rationale: Limit automated mass exploitation.

   Example: For the vulnerable endpoint, allow N uploads per IP per minute; block above threshold.

6. Block known exploit strings in upload payloads

   Rationale: Strings such as <?php eval( 或 base64_decode( are strong indicators.

   Example: If multipart content contains <?php 或者 评估( 或者 base64_decode( THEN block.

Note: Test rules in detection/logging mode first. Rule specifics depend on your WAF engine or server configuration.

Remediation & hardening checklist (site administrators)

• Remove or deactivate the vulnerable plugin until a secure update is available.
• If the plugin must remain, apply strict WAF/server rules to deny access to the upload endpoint for unauthenticated users.
• Disable PHP execution in uploads:
  • Apache: create a .htaccess in wp-content/uploads with directives such as:

    php_flag engine off
    AddType text/plain .php .phtml .php5

  • Nginx: configure location blocks to return 403 for requests to .php files in uploads.
• Restrict file permissions: directories 755, files 644 (or stricter per host).
• Run full malware scans and file integrity checks; compare core/theme/plugin file hashes against official sources.
• Verify administrative accounts and remove unknown users; audit role changes.
• Rotate database and admin credentials, API keys, and hosting control panel passwords.
• Ensure backups are clean and offline copies are available.
• Enable continuous monitoring (file integrity monitoring, security logging, alerting).
• Keep WordPress core, themes, and plugins patched and up to date.

开发者指南 — 如何正确修复

Plugin authors should follow these best practices to prevent arbitrary upload vulnerabilities:

1. Enforce authentication and capability checks:
   • Restrict upload actions to authenticated users with explicit capabilities.
   • Verify WordPress nonces via wp_verify_nonce() for each upload.
2. Use WordPress APIs for uploads:
   • 使用 wp_handle_upload(), wp_handle_upload_prefilter(), and related APIs.
   • 使用 wp_check_filetype_and_ext() to validate MIME types and extensions.
3. Whitelist allowed file types:
   • Allow only required types (e.g., jpg, png, pdf) and reject everything else.
   • Validate file contents using finfo or equivalent server-side checks.
4. Sanitize file names:
   • Remove path traversal vectors, normalize filenames, and prevent double extensions.
   • Generate safe, unique filenames where possible.
5. Store uploads safely:
   • Prefer storage locations that do not allow direct code execution.
   • If files must be web-accessible, serve them via authenticated scripts that check permissions before returning content.
6. Limit file size and rate:
   • Enforce reasonable file size limits and rate limits per IP/account.
7. Logging and monitoring:
   • Log upload events with user ID, IP, filename, and result; alert on anomalous patterns.
8. Security testing:
   • Implement unit and integration tests simulating malicious uploads and conduct code reviews focused on input validation and authorization.

Incident response playbook (recommended sequence)

1. 控制
   • Take the site offline or restrict access.
   • Block the vulnerable endpoint via WAF or server configuration.
   • Revoke active sessions and change admin passwords.
2. Triage
   • Identify IoCs: new or modified files, suspicious processes.
   • Review logs for POST requests to the plugin endpoint around the suspected window.
3. 根除
   • Remove malicious files and backdoors.
   • Replace modified core/theme/plugin files with clean copies from official sources or verified backups.
4. Restore
   • Restore from a clean backup if available.
   • Ensure the vulnerable plugin is removed or patched before bringing the site back online.
5. Recover & Validate
   • Re-enable services and monitor closely.
   • Run full malware scans and file integrity checks.
6. Lessons Learned
   • Document the incident, root cause, and remediation steps.
   • Improve detection and response procedures to reduce future risk.

Coordinate with your hosting provider, legal counsel, and an incident response specialist if the breach is confirmed or if you require forensic assistance.

Detection rules you can implement now (SIEM / Log scanning examples)

• Access log rule: Search for POSTs to the plugin endpoint, e.g., POST /.*add-image-data.
• File system rule: Find PHP files in uploads:

  find /path/to/wordpress/wp-content/uploads -type f -iname "*.php"

• Content scan rule: Scan new uploads for PHP tags such as <?php 或 <?=.
• Behavior anomaly: Alert on newly added admin users plus upload events from the same IP within a short time window.

Why this is urgent

Unauthenticated file upload vulnerabilities are among the most severe WordPress plugin issues. They permit remote attackers to write arbitrary files and often obtain remote code execution quickly. Given that uploads directories are often web-accessible, uploaded payloads can be executed immediately. The unauthenticated nature makes large-scale scanning and automated exploitation likely within hours of public disclosure.

For organisations managing many WordPress sites, the risk compounds: a single compromised site may be used to attack co-hosted sites or internal systems.

Timeline and public disclosure

This issue was assigned CVE-2025-13329 and publicly disclosed on 24 December 2025. When a vulnerability is public, rapid scanning and exploitation typically follow—take immediate protective steps if you run the affected plugin.

Account and server hardening recommendations

• Limit file uploads to roles that require them.
• Disable plugin and theme editors in WordPress (define('DISALLOW_FILE_EDIT', true);).
• Disable PHP execution in the uploads directory (.htaccess or nginx configuration).
• Adopt least privilege for database and filesystem accounts.
• Maintain regular offsite backups and verify backup integrity.
• Implement file integrity monitoring and alerting.
• Ensure a rapid rollback process and credential rotation plan.

Quick checklist for site owners

• Identify whether the plugin is installed and check its version.
• If vulnerable, deactivate and remove the plugin or block the endpoint immediately.
• Scan uploads and plugin folders for unexpected files (.php, .phtml, etc.).
• Rotate credentials (WordPress admins, DB, FTP, control panel).
• Restore from clean backup if compromise is confirmed.
• Apply WAF/server rules as a virtual patch until a secure plugin version is available.
• Implement longer-term hardening (disable PHP execution in uploads, restrict file types).

Final notes — a responsible approach

This vulnerability underscores the need for defence-in-depth. Layered protections—server hardening, upload validation, execution restrictions, robust logging and monitoring—reduce the probability and impact of exploitation. The safest immediate approach is to remove or disable vulnerable components and apply virtual patches at the server or WAF layer until an upstream fix is available.

If you require assistance with detection or remediation, contact your hosting provider, a trusted incident response firm, or an experienced security consultant. Prioritise containment and forensic preservation before aggressive cleanup if you suspect active compromise.