CVE-2025-2780: Critical File Upload Vulnerability in Woffice Core Plugin

Overview

A critical vulnerability has been identified in the Woffice Core plugin for WordPress, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2780, this flaw enables authenticated users with Subscriber-level access or higher to upload arbitrary files to the server due to missing file type validation in the saveFeaturedImage function.

Technical Details

The issue arises from the lack of proper file type validation, which permits users with minimal privileges to upload files of any type. Classified under CWE-434: Unrestricted Upload of File with Dangerous Type, this vulnerability can be exploited to upload executable scripts that may lead to remote code execution (RCE) on the hosting server.

The vulnerable function, saveFeaturedImage, fails to restrict file MIME types or sanitize file content. This creates an opportunity for threat actors to upload malicious payloads disguised as images or documents.

Severity and CVSS Score

This vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score reflects:

• Network-based attack vector
• Low complexity
• No user interaction required
• High impact on confidentiality, integrity, and availability

Potential Impact

Authenticated users, including Subscribers, could upload files that execute arbitrary code. This opens the door to complete server takeover, data theft, or lateral movement within the hosting environment. Since the attack can be automated, it represents a significant threat for any site using the vulnerable plugin version.

Mitigation and Recommendations

• Update Immediately: Upgrade to Woffice Core version 5.4.22 or later.
• Restrict File Uploads: Use application-layer firewalls or additional plugins to limit file upload types.
• Monitor Logs: Review recent uploads and access logs for suspicious activity.
• Review User Roles: Ensure only necessary users have upload permissions.

References

• Wordfence Advisory
• Vulnerable Function Source
• Woffice Changelog

Credits

This vulnerability was responsibly disclosed by Friderika Baranyai.