Skip to main content

CVE-2025-2780: CWE-434 Unrestricted Upload of File with Dangerous Type in WofficeIO Woffice Core

High
VulnerabilityCVE-2025-2780cvecve-2025-2780cwe-434
Published: Fri Apr 04 2025 (04/04/2025, 07:00:13 UTC)
Source: CVE Database V5
Vendor/Project: WofficeIO
Product: Woffice Core

Description

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AI-Powered Analysis

AILast updated: 07/10/2025, 22:34:42 UTC

Technical Analysis

CVE-2025-2780 is a high-severity vulnerability affecting the Woffice Core plugin for WordPress, which is integral to the Woffice Theme. The vulnerability arises from improper validation of file types in the 'saveFeaturedImage' function, allowing authenticated users with Subscriber-level privileges or higher to upload arbitrary files to the server. This unrestricted file upload flaw (CWE-434) can be exploited to place malicious files on the web server, potentially leading to remote code execution (RCE). Since the vulnerability requires only low-level authenticated access and no user interaction, it significantly lowers the barrier for exploitation. The CVSS 3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction needed. The vulnerability affects all versions of Woffice Core up to and including 5.4.21, with no patch currently available. Although no known exploits are reported in the wild yet, the nature of the vulnerability and the widespread use of WordPress and Woffice Theme in corporate and organizational websites make this a serious threat. Attackers could leverage this flaw to upload web shells or other malicious payloads, leading to full system compromise, data theft, defacement, or further lateral movement within the network.

Potential Impact

For European organizations, this vulnerability poses a significant risk due to the widespread adoption of WordPress as a content management system and the popularity of the Woffice Theme in intranet and collaboration portals. Successful exploitation can lead to unauthorized access to sensitive corporate data, disruption of business operations, and reputational damage. Given the ability to achieve remote code execution, attackers could deploy ransomware, exfiltrate personal data protected under GDPR, or pivot to other internal systems. The impact is heightened for sectors with strict compliance requirements such as finance, healthcare, and government institutions across Europe. Additionally, the vulnerability could be exploited to launch attacks on European supply chains or critical infrastructure if these rely on affected WordPress installations. The lack of a patch increases the urgency for organizations to implement compensating controls to prevent exploitation.

Mitigation Recommendations

Immediate mitigation should include restricting access to the WordPress admin area to trusted users only and enforcing the principle of least privilege by reviewing and minimizing Subscriber-level accounts. Organizations should implement web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting the 'saveFeaturedImage' function or unusual file types. Monitoring and logging file uploads and changes in the WordPress uploads directory can help detect exploitation attempts early. Disabling or limiting plugin functionality related to file uploads until a patch is released is advisable. Regular backups and incident response plans should be updated to prepare for potential compromise. Organizations should also subscribe to vendor advisories and security mailing lists to apply patches promptly once available. Network segmentation to isolate WordPress servers and applying strict outbound traffic controls can reduce the impact of a successful breach.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-03-24T22:52:01.711Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f5a1b0bd07c3938b49a

Added to database: 6/10/2025, 6:54:18 PM

Last enriched: 7/10/2025, 10:34:42 PM

Last updated: 7/30/2025, 7:24:29 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats