CVE-2025-49885
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete compromise of the affected website. Attackers can upload and execute malicious files, leading to unauthorized access, data theft, defacement, or further exploitation of the server. Because the vulnerability requires no authentication and has a CVSS score of 10, it poses a critical risk with a high likelihood of widespread exploitation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves scanning for unauthorized or suspicious file uploads, especially web shells, on the affected WordPress site. Since the vulnerability allows arbitrary file uploads, look for recently uploaded files with unusual extensions or PHP files in upload directories. Commands to find suspicious files might include: `find /path/to/wordpress/wp-content/uploads/ -type f \( -name '*.php' -o -name '*.phtml' \) -exec ls -l {} \;` to list PHP files in upload directories. Additionally, monitoring web server logs for unusual POST requests to the upload endpoint or unexpected file upload activity can help detect exploitation attempts. Using malware scanning tools or hosting provider scanning services is also recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks until the official fix is applied. The most important step is to update the Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin to version 5.0.7 or later, where the vulnerability is resolved. Enabling auto-updates for this plugin is also recommended to ensure future vulnerabilities are patched promptly. If you suspect your site has been compromised, engage professional incident response services or your hosting provider's malware scanning services rather than relying solely on plugin-based malware scanners. [1]
Can you explain this vulnerability to me?
CVE-2025-49885 is a critical vulnerability in the WordPress plugin 'Drag and Drop Multiple File Upload (Pro) - WooCommerce' up to version 5.0.6. It allows unauthenticated attackers to upload arbitrary files, including malicious backdoors or web shells, to the web server. This means attackers can execute harmful code on the affected website, potentially gaining unauthorized access and control. [1]