CVE-2025-10412: 
WordPress vulnerability analysis and mitigation

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress contains a critical vulnerability (CVE-2025-10412) discovered and disclosed on September 23, 2025. The vulnerability affects all versions up to and including 4.9.54 of the plugin. This security issue stems from misconfigured file type validation in the 'unicpoupload_file' function (NVD).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434) with a CVSS v3.1 base score of 9.8 (CRITICAL). The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed for exploitation (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution. This presents a severe security risk as it could lead to complete system compromise and unauthorized access to sensitive data (NVD).

Users of the WooCommerce Uni CPO Premium plugin should immediately update their installations to a version newer than 4.9.54 once available. Until a patch is released, it is recommended to disable the plugin if possible or implement strict file upload restrictions at the server level (Builderius).