CVE-2025-5746 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the CodeDropz Drag and Drop Multiple File Upload (Pro) plugin for WooCommerce on WordPress. The flaw exists in the dnd_upload_cf7_upload_chunks() function, which fails to properly validate the file types being uploaded. This allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, to the affected web server. The vulnerability affects versions 5.0 through 5.0.5 when used with the PrintSpace theme and all standalone versions up to 1.7.1. While the plugin attempts to mitigate PHP execution by using a .htaccess file to disable it, certain server configurations may bypass this protection, enabling remote code execution (RCE). The attack vector requires no privileges or user interaction, making exploitation straightforward and highly impactful. The vulnerability was published on July 2, 2025, with a CVSS v3.1 score of 9.8, indicating critical severity due to its network attack vector, low complexity, no privileges required, and no user interaction needed, with high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the risk of exploitation remains high given the ease of attack and potential for full system compromise.

The impact of CVE-2025-5746 is severe for organizations running vulnerable versions of the CodeDropz Drag and Drop Multiple File Upload (Pro) plugin on WooCommerce. Successful exploitation can lead to arbitrary file uploads, which may include web shells or other malicious payloads, enabling attackers to execute remote code on the web server. This can result in full system compromise, data theft, defacement, or use of the compromised server as a pivot point for further attacks within the network. The vulnerability affects the confidentiality, integrity, and availability of affected systems. Since no authentication or user interaction is required, the attack surface is broad, increasing the likelihood of exploitation. Organizations relying on WooCommerce for e-commerce operations may face significant operational disruption, reputational damage, and financial loss. Additionally, the presence of this vulnerability can be leveraged in targeted attacks against high-value e-commerce platforms, especially those with sensitive customer data or payment information.

To mitigate CVE-2025-5746, organizations should immediately update the affected plugin to a patched version once released by CodeDropz. Until an official patch is available, administrators should consider the following specific actions: 1) Disable or remove the vulnerable Drag and Drop Multiple File Upload (Pro) plugin if it is not essential to operations. 2) Implement strict web server configurations to prevent execution of uploaded files, including reinforcing .htaccess rules or equivalent server directives to block execution of PHP or other script files in upload directories. 3) Employ a Web Application Firewall (WAF) with custom rules to detect and block suspicious file upload attempts targeting this vulnerability. 4) Restrict file upload permissions and isolate upload directories from critical application components. 5) Monitor web server logs for unusual file upload activity or access patterns indicative of exploitation attempts. 6) Conduct regular security audits and vulnerability scans to detect the presence of vulnerable plugin versions. 7) Educate development and operations teams about secure file upload handling and the risks of unrestricted file uploads. These measures, combined with prompt patching, will significantly reduce the risk of exploitation.