Introduction
A single file upload can open the door to remote code execution, data theft, and total compromise of a WooCommerce store. For any retailer relying on the Vitepos Point of Sale plugin, CVE-2025-13156 is a vulnerability that demands immediate attention due to its real-world impact on e-commerce operations and customer data security.
Vitepos is a specialized point of sale solution for WooCommerce, developed by AppsBD. With over 1,000 active installations and a focus on integrating physical retail with online stores, Vitepos serves a niche but critical segment of the WordPress ecosystem. The plugin's reach means that even a single vulnerability can have ripple effects across a significant number of small and medium-sized businesses.
Technical Information
CVE-2025-13156 is a high-severity arbitrary file upload vulnerability (CVSS 8.8) affecting all versions of the Vitepos Point of Sale plugin for WooCommerce up to and including 3.3.0. The root cause is a lack of file type validation in the save_update_category_img() function, which handles category image uploads. This function accepts user-supplied files and passes them to insert_media_attachment() without verifying that the uploaded file is a legitimate image. As a result, any authenticated user with subscriber-level access or higher can upload arbitrary files, including executable PHP scripts.
The attack flow is as follows: an attacker with subscriber credentials logs into a vulnerable WooCommerce site, navigates to the category image upload functionality, and submits a crafted file (such as a PHP web shell) instead of an image. Because the plugin does not enforce file type restrictions at any point in the upload process, the malicious file is stored in a web-accessible directory. The attacker can then access the file via HTTP, triggering remote code execution with the privileges of the web server process.
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The risk is amplified by the fact that subscriber-level accounts are easy to obtain on many WooCommerce sites, either through open registration or by compromising low-privilege user accounts. No public code snippets are available, but the vulnerability mechanism is confirmed by multiple advisories and the plugin's changelog.
Affected Systems and Versions
All versions of the Vitepos Point of Sale plugin for WooCommerce up to and including 3.3.0 are vulnerable. The vulnerability is present in any configuration where the plugin is installed and active, and where users with subscriber-level access or above can upload category images. The issue is resolved in version 3.3.1 and later.
Vendor Security History
AppsBD, the developer of Vitepos, has a documented history of security issues in this plugin. Previous vulnerabilities include CVE-2024-33574, which involved missing authorization checks, and other authentication-related flaws. The vendor has responded to reported vulnerabilities by releasing updates, but does not maintain a dedicated security advisory page. The recurring nature of access control and input validation issues suggests that security processes could be improved.
