Introduction
Attackers can gain full control of a WordPress e-commerce site by uploading a web shell through a critical flaw in WooCommerce Designer Pro. This vulnerability impacts any store running the plugin up to version 1.9.24, exposing sensitive data and business operations to compromise.
WooCommerce Designer Pro is a premium plugin by HaruTheme that enables advanced product customization for WooCommerce stores. While not as ubiquitous as core WooCommerce, it is used by a segment of online retailers seeking rich design features for their customers. The WordPress plugin ecosystem has seen a series of high-impact vulnerabilities in similar tools, making this issue especially relevant for security teams managing e-commerce platforms.
Technical Information
CVE-2025-60219 is a critical instance of CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability exists in WooCommerce Designer Pro from an unspecified starting version through 1.9.24. Attackers can exploit the plugin's file upload feature to place arbitrary files, including executable web shells, onto the web server. This is typically possible due to insufficient validation of file type, extension, or file content in the upload handler.
Patterns observed in similar WordPress plugin vulnerabilities suggest attackers may:
- Send crafted HTTP requests to endpoints handling user uploads
- Manipulate MIME types or use double file extensions to bypass weak checks
- Upload PHP or other executable files disguised as images or documents
Once a malicious file is uploaded, it can be accessed directly via the web, allowing remote code execution. This leads to full site compromise, data theft, privilege escalation, and the establishment of persistent access. No public code snippets or PoCs are available for this specific CVE.
Affected Systems and Versions
- Product: WooCommerce Designer Pro (by HaruTheme)
- Affected versions: All versions up to and including 1.9.24
- Vulnerable configurations: Any WordPress site with the plugin active in this version range
Vendor Security History
No public record of prior vulnerabilities for HaruTheme was found. However, the plugin market segment (product customization for WooCommerce) has seen repeated critical vulnerabilities in similar products, such as Fancy Product Designer, often with slow patch cycles and mass exploitation. The lack of immediate patch or vendor communication for CVE-2025-60219 is notable.