AI description
CVE-2025-11391 is an arbitrary file upload vulnerability found in the PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress. This flaw, discovered in October 2025, stems from a lack of file type validation within the plugin's image cropper functionality. The vulnerability allows unauthenticated attackers to bypass file type restrictions and upload arbitrary files to the affected website's server. This could potentially lead to remote code execution on the compromised system. The issue impacts all versions of the plugin up to and including 33.0.15, specifically affecting users who have the paid version of the software installed and activated, despite the vulnerable code being present in the free version. A fix for this vulnerability was released in version 33.0.16 of the plugin on October 16, 2025.
- Description
- The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
- Source
- security@wordfence.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-434
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
3
CVE-2025-11391 – Unauthenticated Blind SQL Injection in PPOM for WooCommerce 33.0.15 https://t.co/UUnQlf6AVF #cve #SQL_injection #SqlInjection #WooCommerce
@RootAccessClub
13 Feb 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - aritlhq/CVE-2025-11391: WordPress PPOM for WooCommerce Plugin <= 33.0.15 is vulnerable to SQL Injection https://t.co/2d6a0i6DGr
@akaclandestine
13 Feb 2026
1285 Impressions
6 Retweets
20 Likes
10 Bookmarks
0 Replies
0 Quotes
GitHub - aritlhq/CVE-2025-11391: WordPress PPOM for WooCommerce Plugin <= 33.0.15 is vulnerable to SQL Injection https://t.co/2d6a0i6DGr
@akaclandestine
21 Oct 2025
1826 Impressions
8 Retweets
23 Likes
16 Bookmarks
0 Replies
0 Quotes
CVE-2025-11391 i PPOM-plugin för WooCommerce tillåter filuppladdningar utan korrekt validering, vilket kan leda till fjärrkörning av kod. Riskerna är stora för oauktoriserade angrepp. #säkerhet #cybersäkerhet #CVE
@Sakerhetsblogg
18 Oct 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
**CVE-2025-11391** pertains to a critical security flaw in the **PPOM – Product Addons & Custom Fields for WooCommerce** plugin for WordPress. The vulnerability arises from improper validation of uploaded files in the image cropper functionality, allowing unauthenticated
@CveTodo
18 Oct 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-11391: CRITICAL] Beware: PPOM Plugin for WooCommerce WordPress site exposes to arbitrary file upload. Unauthenticated attackers could execute code on server. Update to version 33.0.16 or newer now!#cve,CVE-2025-11391,#cybersecurity https://t.co/N3H4M0VMT1 https://t.co/e
@CveFindCom
18 Oct 2025
104 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes