CVE-2025-5746 is a critical security vulnerability affecting the WordPress plugin 'Drag and Drop Multiple File Upload (Pro) - WooCommerce' developed by CodeDropz. This vulnerability arises from improper validation of uploaded file types in the function dnd_upload_cf7_upload_chunks(), present in versions 5.0 through 5.0.5 when bundled with the PrintSpace theme, and all standalone versions up to and including 1.7.1. The lack of restrictions on file types allows unauthenticated attackers to upload arbitrary files to the affected server. Although the plugin attempts to mitigate remote code execution (RCE) by disabling PHP execution via a .htaccess file, certain server configurations may still permit execution of malicious PHP scripts. This can lead to full compromise of the web server, including unauthorized data access, modification, and potential pivoting to internal networks. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS v3.1 score of 9.8, indicating critical severity with network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the ease of exploitation and impact make it a significant threat to WordPress sites using this plugin, especially e-commerce platforms relying on WooCommerce.

For European organizations, particularly those operating e-commerce websites using WooCommerce with the affected plugin, this vulnerability poses a severe risk. Successful exploitation can lead to unauthorized remote code execution, enabling attackers to deploy web shells, steal sensitive customer data including payment information, manipulate product listings or pricing, and disrupt business operations through data destruction or ransomware deployment. The breach of customer trust and potential regulatory penalties under GDPR for data leaks could have substantial financial and reputational consequences. Additionally, compromised servers may be used as a foothold for further attacks within corporate networks or as part of botnets, amplifying the threat landscape. Given the widespread use of WordPress and WooCommerce in Europe, the vulnerability could affect a broad range of sectors including retail, services, and digital agencies.

Organizations should immediately audit their WordPress installations to identify the presence of the vulnerable 'Drag and Drop Multiple File Upload (Pro) - WooCommerce' plugin versions. Since no official patches are currently linked, mitigation should include: 1) Temporarily disabling or uninstalling the plugin until a secure update is released; 2) Implementing strict web application firewall (WAF) rules to block suspicious file upload attempts and restrict file types accepted by upload endpoints; 3) Reviewing and hardening server configurations to ensure PHP execution is disabled in upload directories regardless of .htaccess presence, including disabling execution via server-level settings (e.g., nginx configurations); 4) Monitoring web server logs for anomalous upload activity or execution attempts; 5) Employing intrusion detection/prevention systems (IDS/IPS) tuned for file upload attacks; 6) Educating site administrators on secure plugin management and timely updates; 7) Considering alternative secure file upload plugins with robust validation and sandboxing features. Proactive backups and incident response plans should be updated to handle potential exploitation scenarios.