CVE-2025-11391 is a critical security vulnerability identified in the PPOM – Product Addons & Custom Fields for WooCommerce plugin, widely used in WordPress e-commerce environments. The vulnerability stems from the plugin's image cropper functionality, which lacks proper file type validation, allowing unauthenticated attackers to upload arbitrary files to the server. This unrestricted file upload flaw (CWE-434) can be exploited to upload malicious scripts or executables, potentially leading to remote code execution (RCE). The vulnerability affects all versions up to and including 33.0.15, but only impacts users who have the paid version installed and activated, despite the vulnerable code residing in the free version. The attack vector requires no privileges or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 score of 9.8 reflects the critical nature of the flaw, with high impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the severity and ease of exploitation make this a significant threat to WordPress sites using this plugin. The lack of an official patch at the time of publication necessitates urgent attention from administrators to implement workarounds or disable the vulnerable functionality until an update is available.

The impact of CVE-2025-11391 is severe for organizations running WooCommerce stores with the PPOM plugin paid version activated. Successful exploitation can lead to full remote code execution on the web server, allowing attackers to execute arbitrary commands, deploy malware, steal sensitive data, or pivot within the network. This compromises the confidentiality, integrity, and availability of the affected systems and data. E-commerce platforms are particularly sensitive targets due to the presence of customer data, payment information, and business-critical operations. The vulnerability’s unauthenticated nature means attackers can exploit it without any credentials, increasing the risk of widespread automated attacks. Organizations could face financial losses, reputational damage, regulatory penalties, and operational disruptions. Given WooCommerce’s global popularity, the threat has broad implications for online retailers worldwide.

1. Immediately identify if the paid version of the PPOM plugin is installed and activated on your WordPress sites. 2. Disable or deactivate the PPOM plugin until a security patch is released by the vendor. 3. Restrict file upload permissions on the server to prevent execution of uploaded files, such as disabling PHP execution in upload directories. 4. Implement web application firewall (WAF) rules to detect and block suspicious file upload attempts targeting the image cropper functionality. 5. Monitor server logs for unusual upload activity or unauthorized access attempts. 6. Regularly update WordPress core, plugins, and themes to the latest versions once patches are available. 7. Conduct security audits and penetration testing focused on file upload mechanisms. 8. Educate site administrators on the risks of installing paid plugins without timely updates and encourage use of security best practices. 9. Consider isolating critical e-commerce components in segmented network zones to limit lateral movement in case of compromise.