CVE-2025-11391 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress. The vulnerability arises from a lack of proper file type validation in the plugin's image cropper functionality, allowing unauthenticated attackers to upload arbitrary files to the server hosting the affected WordPress site. This flaw exists in all versions up to and including 33.0.15. Although the vulnerable code is present in the free version of the plugin, exploitation requires the paid version to be installed and activated, limiting the affected user base to paying customers. The arbitrary file upload capability can be leveraged to execute remote code on the server, potentially leading to full system compromise, data theft, or site defacement. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its critical nature, with attack vector being network-based, no privileges or user interaction required, and impacts to confidentiality, integrity, and availability all rated high. No public exploits have been reported yet, but the severity and ease of exploitation make this a high-risk issue. The vulnerability was publicly disclosed on October 18, 2025, with no patches available at the time of reporting, emphasizing the need for immediate defensive measures.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the PPOM plugin, this vulnerability poses a severe risk. Successful exploitation can lead to remote code execution, allowing attackers to gain full control over the web server. This can result in data breaches involving customer information, financial data, and intellectual property. Additionally, attackers could deface websites, disrupt services, or use compromised servers as a foothold for further attacks within the corporate network. The impact on availability could lead to significant business disruption and reputational damage. Given the critical CVSS score and the lack of required authentication, the threat is highly accessible to attackers globally, including those targeting European entities. The vulnerability also increases the risk of compliance violations under GDPR due to potential unauthorized data access or leakage.

1. Immediately monitor for updates or patches from themeisle and apply them as soon as they become available. 2. If patching is not yet possible, consider disabling or uninstalling the PPOM plugin, especially the paid version, to eliminate the attack vector. 3. Implement strict web application firewall (WAF) rules to detect and block suspicious file upload attempts targeting the image cropper functionality. 4. Restrict file upload permissions on the server to prevent execution of uploaded files, for example by disabling execution in upload directories. 5. Conduct thorough audits of existing uploaded files to detect any malicious payloads already present. 6. Employ intrusion detection systems (IDS) and continuous monitoring to identify anomalous activities indicative of exploitation attempts. 7. Educate site administrators on the risks and signs of compromise related to this vulnerability. 8. Limit exposure by restricting access to the WordPress admin interface and plugin functionalities via IP whitelisting or VPN where feasible. 9. Regularly back up website data and configurations to enable rapid recovery in case of compromise.