CVE-2025-13329 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the File Uploader for WooCommerce plugin for WordPress. The flaw exists in the callback function handling the 'add-image-data' REST API endpoint, where the plugin fails to validate the file types being uploaded. This lack of validation allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, to the Uploadcare service integrated with the plugin. Once uploaded, these files can be downloaded and executed on the affected WordPress server, potentially leading to remote code execution (RCE). The vulnerability affects all versions up to and including 1.0.3 of the plugin. The CVSS v3.1 score of 9.8 reflects the vulnerability's ease of exploitation (no authentication or user interaction required), its network attack vector, and its severe impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability poses a significant risk due to the widespread use of WooCommerce and WordPress in e-commerce environments. The absence of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

The impact of CVE-2025-13329 is severe for organizations running WordPress sites with WooCommerce that utilize the vulnerable File Uploader plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially leading to full system compromise. This can result in data breaches, defacement, installation of backdoors, ransomware deployment, or pivoting to internal networks. The vulnerability affects confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by potentially disrupting services. Given WooCommerce's extensive use in online retail, exploitation could disrupt e-commerce operations, damage brand reputation, and cause financial losses. The lack of authentication and user interaction requirements makes the attack feasible at scale, increasing the risk of automated exploitation attempts globally.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations for the presence of the File Uploader for WooCommerce plugin and verify its version. If an updated patched version is released, apply it without delay. In the absence of an official patch, disable or remove the vulnerable plugin to eliminate the attack surface. Implement Web Application Firewall (WAF) rules to block requests to the 'add-image-data' REST API endpoint or restrict access to trusted IP addresses only. Employ strict file upload validation and sanitization controls at the application or server level to prevent dangerous file types from being processed. Monitor server logs and Uploadcare service usage for suspicious upload activity. Additionally, restrict permissions on upload directories to prevent execution of uploaded files and regularly back up site data to enable recovery in case of compromise. Engage with the plugin vendor for updates and security advisories.