CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-4403 – Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - Unauthenticated Arbitrary File Upload via upload Function
https://notcve.org/view.php?id=CVE-2025-4403
08 May 2025 — The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/Yucaerin/CVE-2025-4403 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2941 – Drag and Drop Multiple File Upload for WooCommerce <= 1.1.4 - Unauthenticated Arbitrary File Move
https://notcve.org/view.php?id=CVE-2025-2941
04 Apr 2025 — The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3266697%40drag-and-drop-multiple-file-upload-for-woocommerce&new=3266697%40drag-and-drop-multiple-file-upload-for-woocommerce&sfp_email=&sfph_mail= • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45377 – WordPress Drag and Drop Multiple File Upload for WooCommerce Plugin <= 1.0.8 is vulnerable to Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2022-45377
24 Feb 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce.This issue affects Drag and Drop Multiple File Upload for WooCommerce: from n/a through 1.0.8. Vulnerabilidad de carga de archivos con tipo peligroso sin restricciones en Glen Don L. Mongaya Drag and Drop Multiple File Upload for WooCommerce. Este problema afecta a Drag and Drop Multiple File Upload for WooCommerce: desde n/a hasta 1.0.8. • https://patchstack.com/database/vulnerability/drag-and-drop-multiple-file-upload-for-woocommerce/wordpress-drag-and-drop-multiple-file-upload-for-woocommerce-plugin-1-0-8-multiple-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-434: Unrestricted Upload of File with Dangerous Type •