How ZeroPath Works
Back to Blog

Uni CPO Premium for WooCommerce CVE-2025-10412 Arbitrary File Upload: Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-10412, a critical arbitrary file upload vulnerability in the Uni CPO Premium plugin for WooCommerce. The flaw allows unauthenticated file uploads via the 'uni_cpo_upload_file' function in all versions up to 4.9.54, potentially enabling remote code execution. The post covers affected versions, technical details, and vendor security history based on available information.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-23

Uni CPO Premium for WooCommerce CVE-2025-10412 Arbitrary File Upload: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can gain remote code execution on WooCommerce-powered WordPress sites by exploiting a critical flaw in the Uni CPO Premium plugin. This vulnerability allows unauthenticated file uploads, putting e-commerce businesses at risk of full site compromise and data breach.

The Uni CPO Premium plugin is a widely used WooCommerce extension developed by Moomoo Agency. It enables advanced product options and price calculation formulas for online stores. The plugin is popular in the WooCommerce ecosystem and is deployed on a significant number of WordPress sites handling sensitive customer and transaction data.

Technical Information

CVE-2025-10412 is a critical vulnerability resulting from insufficient file type validation in the uni_cpo_upload_file function of the Uni CPO Premium plugin. The flaw exists in all versions up to and including 4.9.54. The vulnerable function does not properly restrict the types of files that can be uploaded, allowing unauthenticated users to upload arbitrary files to the server.

Attackers can exploit this by sending HTTP requests directly to the file upload endpoint exposed by the plugin. Since the function does not enforce authentication or robust file type checks, malicious files such as PHP web shells can be uploaded and executed. This leads to remote code execution, full site compromise, and the potential for attackers to maintain persistent access or pivot further into the environment.

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). No public code snippets are available at this time, but the attack vector is clear: unauthenticated file uploads via a misconfigured handler in the plugin.

Affected Systems and Versions

  • Product: Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress
  • Affected versions: All versions up to and including 4.9.54
  • Vulnerable configuration: Any WordPress site with the affected plugin version installed and active

Vendor Security History

Moomoo Agency, the developer of Uni CPO, has previously addressed security issues in this plugin, including cross-site scripting and input validation flaws. The vendor has released patches in response to disclosures, but the recurrence of vulnerabilities indicates a need for more robust secure development and testing practices.

References

Detect & fix
what others miss

Get startedBook a demo