CVE-2025-13329

Critical

Published: 20 December 2025

Published

20 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13329 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the missing file type validation in the 'add-image-data' REST API endpoint to block arbitrary file uploads.

SC-14 Public Access Protections good match

prevent

Enforces authorization requirements on the publicly accessible vulnerable REST API endpoint to block unauthenticated attackers.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching of the plugin vulnerability as fixed in changeset 3423070 to remediate the arbitrary upload flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated arbitrary file upload in a public-facing WordPress plugin's REST API endpoint, directly enabling exploitation of a public-facing application for potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes…

it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.

Deeper analysisAI

CVE-2025-13329 is a critical vulnerability in the File Uploader for WooCommerce plugin for WordPress, affecting all versions up to and including 1.0.3. It stems from missing file type validation in the callback function for the 'add-image-data' REST API endpoint, enabling arbitrary file uploads. Assigned CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this flaw remotely by sending crafted requests to the vulnerable endpoint. This allows them to upload arbitrary files to the associated Uploadcare service, which they can then download onto the affected WordPress site's server. Such uploads may lead to remote code execution if malicious files like web shells are successfully placed and invoked.

Mitigation details are available in related advisories and patches. Wordfence's threat intelligence page provides vulnerability specifics under ID da0f0e1a-bbf8-42a5-b330-b53134488ebd. A fix appears in WordPress plugin trac changeset 3423070, modifying the UploaderHelper class in the plugin's source code; users should update to the latest version via the official plugin page on wordpress.org.