CVE-2026-25328
Path Traversal in WooCommerce Product File Upload Plugin
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| add-ons.org | product_file_upload_for_woocommerce | to 2.2.4 (inc) |
| patchstack | products_file_upload_for_woocommerce | to 2.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated attackers to perform arbitrary file deletion on affected websites running the vulnerable plugin versions (β€ 2.2.4). Detection typically involves monitoring for suspicious file deletion activities or unauthorized access attempts targeting the Product File Upload for WooCommerce plugin.
Since the vulnerability is related to broken access control allowing arbitrary file deletion, network or system detection can focus on identifying unusual HTTP requests attempting path traversal or file deletion patterns.
Specific commands are not provided in the available resources, but general approaches include:
- Review web server access logs for suspicious requests containing path traversal sequences such as "../" or encoded variants.
- Use tools like grep to search logs for plugin-specific endpoints or parameters that might be exploited.
- Example command to search Apache logs for path traversal attempts:
- grep -E '\.\./|%2e%2e%2f' /var/log/apache2/access.log
- Monitor file system changes for unexpected deletions in the WordPress installation directory.
- Enable and use Patchstack mitigation rules if available, which can block attacks targeting this vulnerability.
The best mitigation and detection method is to update the plugin to version 2.2.5 or later, as this patches the vulnerability.
Can you explain this vulnerability to me?
CVE-2026-25328 is a high-priority vulnerability in the WordPress Product File Upload for WooCommerce plugin versions 2.2.4 and earlier.
It allows unauthenticated attackers to perform arbitrary file deletion on affected websites due to broken access control.
This means attackers can delete critical core files of the website, potentially causing the site to break and stop functioning.
How can this vulnerability impact me? :
The vulnerability can lead to the deletion of important website files without any authentication.
This can cause the website to malfunction or completely stop working, resulting in downtime and loss of service.
Because the vulnerability is exploitable by unauthenticated attackers, it poses a significant risk to website availability and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the WordPress Product File Upload for WooCommerce plugin, you should immediately update the plugin to version 2.2.5 or later, where the issue is patched.
Until you can update, you can use Patchstack mitigation rules which can block attacks targeting this vulnerability.
If you are a Patchstack user, enabling auto-updates specifically for vulnerable plugins is recommended to ensure rapid protection.