CVE-2025-4387 is a high-severity vulnerability affecting the Abandoned Cart Pro for WooCommerce plugin developed by Tyche Softwares. The vulnerability arises from an authenticated arbitrary file upload flaw due to insufficient file type validation in the function wcap_add_to_cart_popup_upload_files. This flaw exists in all versions up to and including 9.16.0. An attacker with at least subscriber-level access can exploit this vulnerability to upload arbitrary files to the server hosting the WooCommerce site. Depending on the server configuration, this can lead to remote or local code execution, allowing the attacker to execute malicious code, potentially take control of the web server, access sensitive data, or disrupt service availability. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the plugin does not properly restrict the types of files that can be uploaded, enabling dangerous file types to be placed on the server. The CVSS v3.1 base score is 8.8, reflecting a high impact on confidentiality, integrity, and availability, with low attack complexity, requiring only low privileges (subscriber-level) and no user interaction. No public exploits are known at this time, and no patches have been released yet, which increases the urgency for affected organizations to implement mitigations or consider temporary risk reduction strategies.

For European organizations running WooCommerce with the Abandoned Cart Pro plugin, this vulnerability poses a significant risk. Exploitation could lead to unauthorized server access, data breaches involving customer and transaction data, defacement of e-commerce sites, or disruption of business operations. Given the widespread use of WooCommerce in Europe for online retail, especially among small and medium enterprises, the impact could be broad. Compromise of e-commerce platforms can also damage brand reputation and lead to regulatory penalties under GDPR if personal data is exposed. Additionally, attackers could leverage the compromised servers as footholds for further lateral movement within corporate networks. The fact that exploitation requires only subscriber-level access means that even low-privileged users or compromised accounts could be used as attack vectors, increasing the threat surface.

Since no official patches are currently available, European organizations should take immediate steps to mitigate risk. These include: 1) Restricting file upload permissions by disabling or limiting the use of the vulnerable upload functionality for subscriber-level users through plugin or WordPress role configuration. 2) Implementing web application firewall (WAF) rules to detect and block suspicious file uploads or execution attempts targeting the vulnerable function. 3) Monitoring server logs and WordPress activity logs for unusual file uploads or changes in the plugin directories. 4) Applying strict server-side file type validation and restricting executable permissions on upload directories to prevent execution of uploaded files. 5) Temporarily disabling the Abandoned Cart Pro plugin if feasible until a patch is released. 6) Enforcing strong authentication and account monitoring to prevent account takeover of subscriber-level users. 7) Keeping WordPress core and other plugins updated to reduce overall attack surface. Organizations should also prepare to deploy patches promptly once available and conduct thorough incident response readiness.