CVE-2025-10412 is a critical security vulnerability affecting the 'Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium)' plugin developed by MooMoo for WordPress. This plugin is widely used to extend WooCommerce functionality by allowing advanced product options and dynamic price calculations. The vulnerability arises from improper validation of uploaded files in the 'uni_cpo_upload_file' function across all plugin versions up to and including 4.9.54. Specifically, the plugin fails to restrict the types of files that can be uploaded, allowing unauthenticated attackers to upload arbitrary files, including potentially malicious scripts. This unrestricted file upload vulnerability (CWE-434) can lead to remote code execution (RCE) on the affected web server if the attacker uploads executable code such as PHP scripts. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, indicating that it can be exploited remotely without any authentication or user interaction, and can compromise confidentiality, integrity, and availability of the system. Although no public exploits have been reported yet, the ease of exploitation and the critical impact make this vulnerability a high priority for patching or mitigation. Given the widespread use of WooCommerce and the popularity of this plugin among e-commerce sites, the vulnerability poses a significant risk to online retailers using WordPress in general and the Uni CPO plugin in particular.

For European organizations, this vulnerability presents a severe risk, especially for e-commerce businesses relying on WooCommerce and the Uni CPO plugin to manage product options and pricing. Successful exploitation could allow attackers to upload malicious code, leading to full server compromise, data theft (including customer personal and payment information), defacement of websites, disruption of business operations, and potential ransomware deployment. Given the GDPR regulations in Europe, a breach involving customer data could result in substantial regulatory fines and reputational damage. The vulnerability’s unauthenticated nature means attackers do not need valid credentials, increasing the attack surface. Moreover, many European small and medium enterprises (SMEs) use WordPress-based e-commerce solutions, often with limited cybersecurity resources, making them particularly vulnerable. The impact extends beyond individual businesses to supply chains and customers, potentially affecting trust in digital commerce platforms across Europe.

Immediate mitigation steps include disabling the vulnerable file upload functionality if feasible until a patch is available. Organizations should monitor for updates from the plugin vendor and apply patches promptly once released. In the interim, implementing web application firewall (WAF) rules to block suspicious file uploads or requests targeting the vulnerable endpoint ('uni_cpo_upload_file') can reduce risk. Restricting file upload permissions on the server and ensuring uploaded files are stored outside the webroot or with strict execution restrictions can limit exploitation impact. Regularly auditing server logs for unusual upload activity and scanning for web shells or unauthorized files is recommended. Additionally, enforcing least privilege on the web server and isolating WordPress instances can help contain potential breaches. Organizations should also review their backup and incident response plans to prepare for possible compromise scenarios.