Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-4387

The Abandoned Cart Pro for WooCommerce plugin contains an authenticated arbitrary file upload vulnerability due to missing file type validation in the wcap_add_to_cart_popup_upload_files function in all versions up to, and including, 9.16.0. This makes it possible for an authenticated attacker, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may allow for either remote or local code execution depending on the server configuration.

Published

2025-06-10T04:15:34.623

Last Modified

2025-06-12T16:06:39.330

Status

Awaiting Analysis

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-434

Affected Vendors & Products

References

https://www.tychesoftwares.com/docs/docs/abandoned-cart-pro-for-woocommerce-new/changelog-abandoned-cart-pro/#changelog-abandon-cart-pro-for-woocommerce-9-17-0-release-date-m ([email protected])
https://www.tychesoftwares.com/products/woocommerce-abandoned-cart-pro-plugin/ ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/5d2f07bb-89b3-41d4-b606-9722deecf816?source=cve ([email protected])