CVE-2025-6222 is a critical vulnerability affecting the WordPress plugin 'WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet' developed by WP Swings. This plugin is widely used to manage refund and exchange processes, warranty management, refund policies, and user wallets in WooCommerce-based e-commerce websites. The vulnerability arises from improper validation of uploaded files in the function 'ced_rnx_order_exchange_attach_files'. Specifically, the plugin fails to restrict the types of files that can be uploaded, allowing unauthenticated attackers to upload arbitrary files, including potentially malicious scripts. This lack of file type validation corresponds to CWE-434 (Unrestricted Upload of File with Dangerous Type). Since the vulnerability can be exploited without any authentication or user interaction, attackers can directly upload files that may lead to remote code execution (RCE) on the affected server. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact includes full compromise of the affected web server, data theft, defacement, or pivoting to internal networks. No patches or fixes have been published at the time of disclosure, and no known exploits are currently in the wild, but the severity and ease of exploitation make this a high-risk vulnerability for sites using this plugin version 3.2.6 or earlier.

For European organizations, this vulnerability poses a significant risk, especially for e-commerce businesses relying on WooCommerce and this specific plugin for their refund and warranty management workflows. Exploitation could lead to unauthorized access to sensitive customer data, including personal and payment information, violating GDPR requirements and potentially resulting in regulatory fines and reputational damage. Additionally, successful remote code execution could allow attackers to deploy ransomware, steal intellectual property, or disrupt business operations. Given the critical nature of the vulnerability and the lack of authentication requirements, attackers can easily target vulnerable sites across Europe, potentially affecting a large number of small to medium-sized enterprises (SMEs) that commonly use WordPress and WooCommerce plugins. The impact extends beyond data confidentiality to integrity and availability, as attackers could modify site content or take the site offline.

Immediate mitigation steps include disabling or uninstalling the vulnerable plugin until a patch is released. Organizations should monitor official WP Swings channels for security updates and apply patches promptly once available. As a temporary workaround, web administrators can implement strict web application firewall (WAF) rules to block file uploads to the vulnerable endpoint or restrict upload file types at the server level. Additionally, restricting write permissions on upload directories and employing intrusion detection systems to monitor unusual file uploads can reduce risk. Regular backups and incident response plans should be reviewed and updated to prepare for potential exploitation. Organizations should also audit their WordPress installations to identify and inventory all instances of this plugin to prioritize remediation efforts. Finally, applying the principle of least privilege to WordPress user roles and server permissions can limit the damage in case of exploitation.