cbcvebase.
CVE-2025-13156
published 2025-11-21

CVE-2025-13156: The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.60%
44.2th percentile
The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.

Affected

1 ranges
VendorProductVersion rangeFixed in
appsbdvitepos_point_of_sale_for_woocommerce<= 3.3.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.