CVE-2025-13156 HIGH

CVE-2025-13156: Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0 - Authenticated (Subscriber+) Arbitrary File Upload to Remote Code Execution

Vendor Appsbd
Product Vitepos – Point of Sale (POS) for WooCommerce
Weakness CWE-434 · Unrestricted file upload
Published November 21, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.

Explanation of Vulnerability in Simple Terms

02Summary

Vitepos allows authenticated users to upload files without proper validation, enabling them to upload malicious files to the server. An attacker with low-level access can exploit this to run their own code on the site, read sensitive data, or modify site content. All versions up to 3.3.0 are affected.

What an attacker can do

03Attacker Capabilities

Upload and execute malicious files on the server to run arbitrary code, steal data, or modify the site.

Potential impact on your site

04Site Impact

A compromised user account can lead to full site takeover, data theft, or malware injection affecting all customers.

Conditions required to exploit

05Prerequisites

Attacker must have a low-level user account (e.g., customer or contributor role) on the WooCommerce site.

Key dates

06Disclosure timeline

November 21, 2025 CVE published
April 8, 2026 Record updated