CVE-2025-11391: 
WordPress vulnerability analysis and mitigation

The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2025-11391) discovered in October 2025. The vulnerability affects all versions up to and including 33.0.15, specifically impacting users with the paid version of the software installed and activated, despite the vulnerable code being present in the free version (NVD).

The vulnerability stems from missing file type validation in the image cropper functionality. This security flaw has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue allows unauthenticated attackers to bypass file type restrictions in the image cropper component (NVD).

The vulnerability enables unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. This presents a critical security risk as it could allow attackers to take complete control of affected WordPress installations (NVD).

The issue has been addressed in version 33.0.16 of the plugin, which was released on October 16, 2025. Users are strongly advised to update to this latest version which includes security enhancements and dependency updates (WordPress Plugin).