📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
On March 28th, 2025, we received a submission for an Arbitrary File Move vulnerability in Drag and Drop Multiple File Upload for WooCommerce, a WordPress plugin with more than 6,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
Props to Phat RiO – BlueRock who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $315.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Local File Inclusion protection.
We provided full disclosure details to Glen Don Mongaya on March 28, 2025. The developer released the fully patched version on April 4, 2025. We would like to commend Glen Don Mongaya for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Drag and Drop Multiple File Upload for WooCommerce, version 1.1.5 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: Drag and Drop Multiple File Upload for WooCommerce
Plugin Slug: drag-and-drop-multiple-file-upload-for-woocommerce
Affected Versions: <= 1.1.4
CVE ID: CVE-2025-2941
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Phat RiO – BlueRock
Fully Patched Version: 1.1.5
Bounty Award: $315.00
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
Technical Analysis
Drag and Drop Multiple File Uploader is a simple WordPress plugin for WooCommerce that converts the standard uploader into a drag and drop file uploader.
Examining the code reveals that the plugin uses the dndmfu_wc_add_cart_data() function to handle file uploads via the woocommerce_add_cart_item_data WooCommerce hook.
function dndmfu_wc_add_cart_data( $cart_item_data, $product_id, $variation_id ) {
$dir = trailingslashit( dndmfu_wc_dir() );
$name = dndmfu_wc_get_filename();
$post_files = ( isset( $_POST[ $name ] ) ? array_map('sanitize_text_field', $_POST[ $name ] ) : null );
$files = array();
if( $post_files ) {
// Loop files
foreach( $post_files as $file ) {
$tmp_file = $dir . wc_clean( wp_unslash( $file ) );
if( file_exists( $tmp_file ) ) {
$file_name = wp_unique_filename( $dir, wp_basename( $file ) );
$new_name = apply_filters( 'dndmfu_wc_file_name', $file_name );
if( rename( $tmp_file, $dir . $new_name ) ) {
Unfortunately, the file parameter is not properly validated so arbitrary paths can be supplied. This file data is then passed to the rename() function which moves the source file into the uploads directory.
This means that attackers can specify any file on the server to be moved, which effectively results in its deletion. This makes it possible for unauthenticated attackers to move arbitrary files on the server, including the site’s wp-config.php file. Deleting wp-config.php forces the site into a setup state, allowing an attacker to initiate a site takeover by connecting it to a database under their control.
Disclosure Timeline
March 28, 2025 – We received the submission for the Arbitrary File Move vulnerability in Drag and Drop Multiple File Upload for WooCommerce via the Wordfence Bug Bounty Program.
March 28, 2025 – We validated the report and confirmed the proof-of-concept exploit.
March 28, 2025 – We sent over the full disclosure details to the vendor.
March 29, 2025 – The vendor acknowledged the report and began working on a fix.
April 4, 2025 – The fully patched version of the plugin, 1.1.5, was released.
Conclusion
In this blog post, we detailed an Arbitrary File Move vulnerability within the Drag and Drop Multiple File Upload for WooCommerce plugin affecting versions 1.1.4 and earlier. This vulnerability allows unauthenticated threat actors to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. The vulnerability has been addressed in version 1.1.5 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Drag and Drop Multiple File Upload for WooCommerce as soon as possible considering the critical nature of this vulnerability.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 6,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in Drag and Drop Multiple File Upload for WooCommerce WordPress Plugin appeared first on Wordfence.
