CVE-2025-12682 CRITICAL

CVE-2025-12682: Easy Upload Files During Checkout <= 2.9.8 - Unauthenticated Arbitrary JavaScript File Upload

Vendor Fahadmahmood

Product Easy Upload Files During Checkout

Weakness CWE-434 · Unrestricted file upload

Published November 4, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

The Easy Upload Files During Checkout plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing file type validation in the 'file_during_checkout' function in all versions up to, and including, 2.9.8. This makes it possible for unauthenticated attackers to upload arbitrary JavaScript files on the affected site's server which may make remote code execution possible.

Key dates

Disclosure timeline

November 4, 2025 CVE published

April 8, 2026 Record updated

Identifiers

CVE CVE-2025-12682

CWE CWE-434

CVSS 9.8 / CRITICAL

Affected versions

Vendor Fahadmahmood

Product Easy Upload Files During Checkout

Affected ≤ 2.9.8