How ZeroPath Works
Back to Blog

RCE Risk in WooCommerce Refund and Exchange with RMA: Unauthenticated File Upload (CVE-2025-6222)

A critical unauthenticated file upload vulnerability (CVE-2025-6222) in WooCommerce Refund and Exchange with RMA plugin enables remote code execution on WordPress sites. This post delivers a technical breakdown, affected versions, and patch details.
CVE Analysis

8 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-17

RCE Risk in WooCommerce Refund and Exchange with RMA: Unauthenticated File Upload (CVE-2025-6222)

RCE Risk in WooCommerce Refund and Exchange with RMA: Unauthenticated File Upload (CVE-2025-6222)

When a single HTTP request can give an attacker full control over a WordPress e-commerce site, the stakes are existential. CVE-2025-6222 exposes precisely this risk: a critical unauthenticated file upload vulnerability in the WooCommerce Refund and Exchange with RMA plugin, used by thousands of online stores to manage returns and customer wallets. With a CVSS score of 9.8, this flaw is a textbook example of how missing server-side validation can lead to remote code execution (RCE) and total site compromise.

Involved Software: WooCommerce Refund and Exchange with RMA

WooCommerce Refund and Exchange with RMA is a popular WordPress plugin developed by WPSwings and distributed via CodeCanyon. It streamlines refund, exchange, and warranty management for WooCommerce-powered stores. With over 100,000 active installations, its security posture directly impacts a large segment of the e-commerce market.

Technical Information

Vulnerability Mechanism

The vulnerability resides in the ced_rnx_order_exchange_attach_files function, responsible for handling file attachments during refund or exchange requests. In all versions up to and including 3.2.6, this function:

  • Fails to validate file types or MIME types on the server side.
  • Accepts arbitrary file extensions, including executable types such as .php.
  • Stores uploaded files in a web-accessible directory (/wp-content/uploads/wps-uploads/refund-and-exchange/attachments/).
  • Does not require authentication to access the vulnerable endpoint.

Exploitation Flow

  1. Attacker crafts a POST request to the endpoint with a file payload (e.g., shell.php).
  2. Server accepts and stores the file without validating its type or content.
  3. Attacker accesses the uploaded file via a direct URL, executing arbitrary PHP code on the server.

Example Vulnerable Pattern

// Pseudocode representation of the vulnerable logic
if (isset($_FILES['files'])) {
    foreach ($_FILES['files']['tmp_name'] as $i => $tmp_name) {
        // No extension or MIME type check
        move_uploaded_file($tmp_name, $upload_dir . $_FILES['files']['name'][$i]);
    }
}

This is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) scenario. The lack of file type validation and authentication makes exploitation trivial and scalable.

Attack Vector

  • Unauthenticated POST request to the vulnerable endpoint with a malicious file (e.g., PHP webshell).
  • Direct access to the uploaded file for code execution.

Patch Information

In the latest update of the WooCommerce Refund and Exchange with RMA plugin (version 3.2.4, released on October 15, 2024), the developers addressed a specific issue related to the refund and exchange form. While the changelog highlights a fix for product selection errors, this update also includes improvements to compatibility and stability, which are critical for secure operation. All users must upgrade to at least version 3.2.4 to mitigate this vulnerability.

Patch source: Changelog

Affected Systems and Versions

  • Product: WooCommerce Refund and Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet (WordPress plugin)
  • Affected Versions: All versions up to and including 3.2.6
  • Vulnerable Function: ced_rnx_order_exchange_attach_files
  • Configuration: Any WordPress site with the affected plugin version installed and active

Vendor Security History

WPSwings, while responsive in releasing patches, has now had at least one critical CWE-434 vulnerability in a flagship plugin. The rapid patch turnaround is positive, but the presence of such a basic security oversight highlights the need for more rigorous secure development practices. The broader WordPress plugin ecosystem has seen similar issues, underscoring systemic risks.

References

Takeaway: If you run WooCommerce Refund and Exchange with RMA, upgrade to at least version 3.2.4 immediately. The risk of remote code execution is real, and exploitation is trivial. Do not delay patching.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo