CVE-2026-25328
Received Received - Intake
Path Traversal in WooCommerce Product File Upload Plugin

Publication date: 2026-03-25

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.This issue affects Product File Upload for WooCommerce: from n/a through <= 2.2.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25328
EUVD
EUVD-2026-15645
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
add-ons.org product_file_upload_for_woocommerce to 2.2.4 (inc)
patchstack products_file_upload_for_woocommerce to 2.2.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25328 is a high-priority vulnerability in the WordPress Product File Upload for WooCommerce plugin versions 2.2.4 and earlier.

It allows unauthenticated attackers to perform arbitrary file deletion on affected websites due to broken access control.

This means attackers can delete critical core files of the website, potentially causing the site to break and stop functioning.

Impact Analysis

The vulnerability can lead to the deletion of important website files without any authentication.

This can cause the website to malfunction or completely stop working, resulting in downtime and loss of service.

Because the vulnerability is exploitable by unauthenticated attackers, it poses a significant risk to website availability and integrity.

Mitigation Strategies

To mitigate the vulnerability in the WordPress Product File Upload for WooCommerce plugin, you should immediately update the plugin to version 2.2.5 or later, where the issue is patched.

Until you can update, you can use Patchstack mitigation rules which can block attacks targeting this vulnerability.

If you are a Patchstack user, enabling auto-updates specifically for vulnerable plugins is recommended to ensure rapid protection.

Detection Guidance

This vulnerability allows unauthenticated attackers to perform arbitrary file deletion on affected websites running the vulnerable plugin versions (≀ 2.2.4). Detection typically involves monitoring for suspicious file deletion activities or unauthorized access attempts targeting the Product File Upload for WooCommerce plugin.

Since the vulnerability is related to broken access control allowing arbitrary file deletion, network or system detection can focus on identifying unusual HTTP requests attempting path traversal or file deletion patterns.

Specific commands are not provided in the available resources, but general approaches include:

  • Review web server access logs for suspicious requests containing path traversal sequences such as "../" or encoded variants.
  • Use tools like grep to search logs for plugin-specific endpoints or parameters that might be exploited.
  • Example command to search Apache logs for path traversal attempts:
  • grep -E '\.\./|%2e%2e%2f' /var/log/apache2/access.log
  • Monitor file system changes for unexpected deletions in the WordPress installation directory.
  • Enable and use Patchstack mitigation rules if available, which can block attacks targeting this vulnerability.

The best mitigation and detection method is to update the plugin to version 2.2.5 or later, as this patches the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart