What the vulnerability does
01Description
The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.
Explanation of Vulnerability in Simple Terms
02Summary
Vitepos allows authenticated users to upload files without proper validation, enabling them to upload malicious files to the server. An attacker with low-level access can exploit this to run their own code on the site, read sensitive data, or modify site content. All versions up to 3.3.0 are affected.
What an attacker can do
03Attacker Capabilities
Upload and execute malicious files on the server to run arbitrary code, steal data, or modify the site.
Potential impact on your site
04Site Impact
A compromised user account can lead to full site takeover, data theft, or malware injection affecting all customers.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level user account (e.g., customer or contributor role) on the WooCommerce site.
Key dates
06Disclosure timeline
November 21, 2025
CVE published
April 8, 2026
Record updated