Overview

WordPress plugins are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may lead to the execution of arbitrary code.

Description

WordPress plugins drag-and-drop, td-composer, booking-calendar, woffice, woffice-core, front-end-only-users, and simple-wp-events filter are affected by the vulnerabilities tracked as CVE-2025-2941, CVE-2024-13645, CVE-2025-31381, CVE-2025-2798, CVE-2025-2780, CVE-2025-2005, and CVE-2025-2004 with CVSS scores ranging from 9.8 and 9.1. The plugins are vulnerable due to insufficient file path validation via the wc-upload-file[] parameter, PHP Object Instantiation, improper verification of user's identity, misconfiguration of excluded roles during registration, missing file type validation in the 'saveFeaturedImage' function, missing file type validation in the file uploads field of the registration form, and insufficient file path validation in the wpe_delete_file AJAX action. The vulnerabilities allow unauthenticated attackers to bypass access controls, privilege escalation, or achieve remote code execution.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/drag-and-drop-multiple-file-upload-for-woocommerce/drag-and-drop-multiple-file-upload-for-woocommerce-114-unauthenticated-arbitrary-file-move
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/td-composer/tagdiv-composer-53-unauthenticated-arbitrary-php-object-instantiation