CVE-2025-2780: CWE-434 Unrestricted Upload of File with Dangerous Type in WofficeIO Woffice Core
The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
AI Analysis
Technical Summary
CVE-2025-2780 is a high-severity vulnerability affecting the Woffice Core plugin for WordPress, which is integral to the Woffice Theme. The vulnerability arises from improper validation of file types in the 'saveFeaturedImage' function, allowing authenticated users with Subscriber-level privileges or higher to upload arbitrary files to the server. This unrestricted file upload flaw (CWE-434) can be exploited to place malicious files on the web server, potentially leading to remote code execution (RCE). Since the vulnerability requires only low-level authenticated access and no user interaction, it significantly lowers the barrier for exploitation. The CVSS 3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction needed. The vulnerability affects all versions of Woffice Core up to and including 5.4.21, with no patch currently available. Although no known exploits are reported in the wild yet, the nature of the vulnerability and the widespread use of WordPress and Woffice Theme in corporate and organizational websites make this a serious threat. Attackers could leverage this flaw to upload web shells or other malicious payloads, leading to full system compromise, data theft, defacement, or further lateral movement within the network.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread adoption of WordPress as a content management system and the popularity of the Woffice Theme in intranet and collaboration portals. Successful exploitation can lead to unauthorized access to sensitive corporate data, disruption of business operations, and reputational damage. Given the ability to achieve remote code execution, attackers could deploy ransomware, exfiltrate personal data protected under GDPR, or pivot to other internal systems. The impact is heightened for sectors with strict compliance requirements such as finance, healthcare, and government institutions across Europe. Additionally, the vulnerability could be exploited to launch attacks on European supply chains or critical infrastructure if these rely on affected WordPress installations. The lack of a patch increases the urgency for organizations to implement compensating controls to prevent exploitation.
Mitigation Recommendations
Immediate mitigation should include restricting access to the WordPress admin area to trusted users only and enforcing the principle of least privilege by reviewing and minimizing Subscriber-level accounts. Organizations should implement web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting the 'saveFeaturedImage' function or unusual file types. Monitoring and logging file uploads and changes in the WordPress uploads directory can help detect exploitation attempts early. Disabling or limiting plugin functionality related to file uploads until a patch is released is advisable. Regular backups and incident response plans should be updated to prepare for potential compromise. Organizations should also subscribe to vendor advisories and security mailing lists to apply patches promptly once available. Network segmentation to isolate WordPress servers and applying strict outbound traffic controls can reduce the impact of a successful breach.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-2780: CWE-434 Unrestricted Upload of File with Dangerous Type in WofficeIO Woffice Core
Description
The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
AI-Powered Analysis
Technical Analysis
CVE-2025-2780 is a high-severity vulnerability affecting the Woffice Core plugin for WordPress, which is integral to the Woffice Theme. The vulnerability arises from improper validation of file types in the 'saveFeaturedImage' function, allowing authenticated users with Subscriber-level privileges or higher to upload arbitrary files to the server. This unrestricted file upload flaw (CWE-434) can be exploited to place malicious files on the web server, potentially leading to remote code execution (RCE). Since the vulnerability requires only low-level authenticated access and no user interaction, it significantly lowers the barrier for exploitation. The CVSS 3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction needed. The vulnerability affects all versions of Woffice Core up to and including 5.4.21, with no patch currently available. Although no known exploits are reported in the wild yet, the nature of the vulnerability and the widespread use of WordPress and Woffice Theme in corporate and organizational websites make this a serious threat. Attackers could leverage this flaw to upload web shells or other malicious payloads, leading to full system compromise, data theft, defacement, or further lateral movement within the network.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread adoption of WordPress as a content management system and the popularity of the Woffice Theme in intranet and collaboration portals. Successful exploitation can lead to unauthorized access to sensitive corporate data, disruption of business operations, and reputational damage. Given the ability to achieve remote code execution, attackers could deploy ransomware, exfiltrate personal data protected under GDPR, or pivot to other internal systems. The impact is heightened for sectors with strict compliance requirements such as finance, healthcare, and government institutions across Europe. Additionally, the vulnerability could be exploited to launch attacks on European supply chains or critical infrastructure if these rely on affected WordPress installations. The lack of a patch increases the urgency for organizations to implement compensating controls to prevent exploitation.
Mitigation Recommendations
Immediate mitigation should include restricting access to the WordPress admin area to trusted users only and enforcing the principle of least privilege by reviewing and minimizing Subscriber-level accounts. Organizations should implement web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting the 'saveFeaturedImage' function or unusual file types. Monitoring and logging file uploads and changes in the WordPress uploads directory can help detect exploitation attempts early. Disabling or limiting plugin functionality related to file uploads until a patch is released is advisable. Regular backups and incident response plans should be updated to prepare for potential compromise. Organizations should also subscribe to vendor advisories and security mailing lists to apply patches promptly once available. Network segmentation to isolate WordPress servers and applying strict outbound traffic controls can reduce the impact of a successful breach.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-03-24T22:52:01.711Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f5a1b0bd07c3938b49a
Added to database: 6/10/2025, 6:54:18 PM
Last enriched: 7/10/2025, 10:34:42 PM
Last updated: 7/30/2025, 7:24:29 PM
Views: 11
Related Threats
CVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.