CVE-2025-2941: 
WordPress vulnerability analysis and mitigation

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This vulnerability was discovered and reported by Phat RiO - BlueRock via WordFence and was disclosed on April 5, 2025 (NVD).

The vulnerability is classified as a Path Traversal issue (CWE-22) that allows unauthenticated attackers to move arbitrary files on the server. The vulnerability received a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue stems from insufficient validation of file paths in the file upload functionality (NVD).

The vulnerability can lead to remote code execution when critical files like wp-config.php are moved, potentially giving attackers complete control over the affected WordPress installation. This poses a severe risk to the confidentiality, integrity, and availability of the affected websites (NVD).

The vulnerability has been patched in version 1.1.5 of the plugin. Site administrators are strongly advised to update to this version immediately. The update includes security fixes specifically addressing the vulnerability reported by WordFence (WordPress Plugin).