CVE-2025-53213: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-53213) is an Unrestricted Upload of File with Dangerous Type vulnerability affecting ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping plugin versions through 4.3.1. The vulnerability was discovered by Phat RiO - BlueRock and publicly disclosed on August 20, 2025 (AttackerKB, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.9 (Critical), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Changed, and Impact scores of High for Confidentiality, Integrity, and Availability. The vulnerability allows authenticated users with contributor-level privileges to upload malicious files to the affected WordPress installations (AttackerKB, Patchstack).

The vulnerability could allow malicious actors to upload arbitrary files, including backdoors, which could then be executed to gain further access to the affected website. Given the critical CVSS score and the potential for remote code execution, this vulnerability poses a significant risk to affected installations (Patchstack).

The vulnerability has been fixed in version 4.3.2 of the plugin. Users are advised to update to version 4.3.2 or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).