CVE-2025-53213 CRITICAL

CVE-2025-53213: WordPress ReachShip WooCommerce Multi-Carrier & Conditional Shipping <= 4.3.1 - Arbitrary File Upload Vulnerability

Vendor Elextensions
Product ReachShip WooCommerce Multi-Carrier & Conditional Shipping
Weakness CWE-434 · Unrestricted file upload
Published August 20, 2025
Last update April 28, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping elex-reachship-multi-carrier-conditional-shipping allows Using Malicious Files.This issue affects ReachShip WooCommerce Multi-Carrier & Conditional Shipping: from n/a through <= 4.3.1.

Explanation of Vulnerability in Simple Terms

02Summary

ReachShip WooCommerce Multi-Carrier & Conditional Shipping versions up to 4.3.1 do not properly validate file uploads. An authenticated user with low privileges can upload arbitrary files to the server, potentially gaining the ability to run their own code on the site. This affects all users, data, and site functionality.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files and run their own code on the site.

Potential impact on your site

04Site Impact

Complete compromise of the site: attackers can steal data, modify content, create admin accounts, or take the site offline.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account (e.g., customer or subscriber role) on the WooCommerce site.

Key dates

06Disclosure timeline

August 20, 2025 CVE published
April 28, 2026 Record updated