CVE-2025-4387
Abandoned Cart Pro for WooCommerce <= 9.16.0 - Authenticated (Subscriber+) Arbitrary File Upload
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
The Abandoned Cart Pro for WooCommerce plugin contains an authenticated arbitrary file upload vulnerability due to missing file type validation in the wcap_add_to_cart_popup_upload_files function in all versions up to, and including, 9.16.0. This makes it possible for an authenticated attacker, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may allow for either remote or local code execution depending on the server configuration.
| CWE | CWE-434 |
| Vendor | tyche softwares |
| Product | abandoned cart pro for woocommerce |
| Published | Jun 10, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for tyche softwares abandoned cart pro for woocommerce
Be the first to know when new high vulnerabilities affecting tyche softwares abandoned cart pro for woocommerce are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Tyche Softwares / Abandoned Cart Pro for WooCommerce
0 โค 9.16.0
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5d2f07bb-89b3-41d4-b606-9722deecf816?source=cve tychesoftwares.com: https://www.tychesoftwares.com/products/woocommerce-abandoned-cart-pro-plugin/ tychesoftwares.com: https://www.tychesoftwares.com/docs/docs/abandoned-cart-pro-for-woocommerce-new/changelog-abandoned-cart-pro/#changelog-abandon-cart-pro-for-woocommerce-9-17-0-release-date-m
Credits
Phil Wylie