cleantalk
Vulnerabilities and Security Researches

Product Addons & Fields for WooCommerce, CVE-2025-11391

CVE, Research URL

CVE-2025-11391

Home page URL

Security reports for Product Addons & Fields for WooCommerce

Application

Product Addons & Fields for WooCommerce

Published on
Oct 18, 2025
Research Description
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
Affected versions
max 33.0.16.
Status
vulnerable
Previous vulnerability researches
WP Statistics (CVE-2025-9816) , Nov 10, 2025
WP Statistics , May 27, 2025
WP Statistics (CVE-2025-55716) , Aug 16, 2025
WP Statistics (CVE-2022-25149) , Jun 07, 2024
WP Statistics (CVE-2022-25307) , Jun 07, 2024
New vulnerability
Link Whisper Free (CVE-2025-62970) , Nov 10, 2025
AI ChatBot with ChatGPT and Content Generator by AYS (CVE-2025-62039) , Nov 10, 2025
Name: Print Button Shortcode (CVE-2025-11810) , Nov 10, 2025
Pagerank tools (CVE-2025-12416) , Nov 10, 2025
Advanced Database Cleaner (CVE-2025-11497) , Nov 10, 2025