CVE-2025-29009 CRITICAL

CVE-2025-29009: WordPress Medical Prescription Attachment Plugin for WooCommerce <= 1.2.3 - Arbitrary File Upload Vulnerability

Vendor Webkul
Product Medical Prescription Attachment Plugin for WooCommerce
Weakness CWE-434 · Unrestricted file upload
Published July 16, 2025
Last update April 28, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce medical-prescription-attachment-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Medical Prescription Attachment Plugin for WooCommerce: from n/a through <= 1.2.3.

Explanation of Vulnerability in Simple Terms

02Summary

The Medical Prescription Attachment Plugin for WooCommerce versions 1.2.3 and earlier allow unauthenticated attackers to upload arbitrary files to the server without validation. An attacker can upload malicious files—including PHP scripts—to execute code on the site or replace legitimate files. No user interaction or authentication is required.

What an attacker can do

03Attacker Capabilities

Upload and execute arbitrary files, including PHP code, on the site without authentication.

Potential impact on your site

04Site Impact

Attackers can run malicious code, steal data, modify site content, or take full control of the WooCommerce installation.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 16, 2025 CVE published
April 28, 2026 Record updated