CVE-2025-10412 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the MooMoo Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) WordPress plugin. This vulnerability arises from inadequate validation of uploaded file types within the 'uni_cpo_upload_file' function, allowing unauthenticated attackers to upload arbitrary files to the server hosting the affected WordPress site. Because the plugin is widely used to extend WooCommerce functionality by adding custom product options and price calculation formulas, the attack surface includes many e-commerce websites. The lack of proper file type restrictions means attackers can upload malicious scripts or web shells, potentially leading to remote code execution (RCE). The vulnerability affects all versions up to 4.9.54, with no authentication or user interaction required, increasing the ease of exploitation. The CVSS v3.1 base score is 9.8, reflecting the high impact on confidentiality, integrity, and availability, as well as the low attack complexity and no privileges needed. While no known exploits have been reported in the wild yet, the vulnerability's nature and severity make it a critical risk for affected sites. The plugin's misconfiguration represents a significant security flaw that can be leveraged to compromise entire web servers, steal sensitive data, or disrupt services.

The impact of CVE-2025-10412 is severe for organizations running WordPress e-commerce sites using the vulnerable Uni CPO plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the web server. This can result in full system compromise, data theft, defacement, installation of backdoors, or pivoting to internal networks. Confidential customer data, including payment information, could be exposed or manipulated. The integrity of product pricing and options could be altered, damaging business operations and trust. Availability may also be affected if attackers deploy ransomware or disrupt services. Given the plugin's role in WooCommerce, a widely used e-commerce platform, the vulnerability poses a significant risk to online retailers globally. The ease of exploitation without authentication increases the likelihood of automated attacks and mass exploitation attempts, especially once public exploit code becomes available.

1. Immediate update: Apply any available patches or updates from the plugin vendor addressing this vulnerability. If no patch is available, consider disabling or uninstalling the plugin until a fix is released. 2. File upload restrictions: Implement strict server-side validation to restrict allowed file types and enforce whitelist policies beyond the plugin's controls. 3. Web application firewall (WAF): Deploy a WAF with rules to detect and block malicious file uploads and suspicious HTTP requests targeting the vulnerable endpoint. 4. Least privilege: Ensure the web server and WordPress file permissions are configured with least privilege to limit the impact of any uploaded malicious files. 5. Monitoring and logging: Enable detailed logging of file uploads and monitor for unusual activity or newly created files in upload directories. 6. Isolate critical systems: Segment the web server from sensitive backend systems to reduce lateral movement risk if compromise occurs. 7. Backup and recovery: Maintain regular, tested backups of website data and configurations to enable rapid recovery in case of compromise. 8. Incident response readiness: Prepare incident response plans specifically for web server compromises involving file upload vulnerabilities.