What the vulnerability does
01Description
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping elex-reachship-multi-carrier-conditional-shipping allows Using Malicious Files.This issue affects ReachShip WooCommerce Multi-Carrier & Conditional Shipping: from n/a through <= 4.3.1.
Explanation of Vulnerability in Simple Terms
02Summary
ReachShip WooCommerce Multi-Carrier & Conditional Shipping versions up to 4.3.1 do not properly validate file uploads. An authenticated user with low privileges can upload arbitrary files to the server, potentially gaining the ability to run their own code on the site. This affects all users, data, and site functionality.
What an attacker can do
03Attacker Capabilities
Upload arbitrary files and run their own code on the site.
Potential impact on your site
04Site Impact
Complete compromise of the site: attackers can steal data, modify content, create admin accounts, or take the site offline.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account (e.g., customer or subscriber role) on the WooCommerce site.
Key dates
06Disclosure timeline
August 20, 2025
CVE published
April 28, 2026
Record updated