CVE-2025-53213

ELEXtensions · ReachShip WooCommerce Multi-Carrier & Conditional Shipping

An unrestricted file upload vulnerability in ELEXtensions ReachShip WooCommerce allows attackers to upload malicious files, leading to potential code execution.

Executive summary

ELEXtensions ReachShip WooCommerce contains an unrestricted file upload vulnerability that permits the execution of malicious files on the host server.

Vulnerability

The application fails to properly validate the types of files uploaded by users, allowing an attacker to upload executable scripts. This vulnerability is typically accessible to any user capable of interacting with the upload feature, posing a high risk of unauthorized code execution.

Business impact

The ability to upload arbitrary files is a critical security failure that can lead to a full web shell deployment. With a CVSS score of 9.9, the impact includes complete server takeover, potential lateral movement into the internal network, and the compromise of sensitive customer transaction data handled by WooCommerce.

Remediation

Immediate Action: Update the ReachShip WooCommerce Multi-Carrier & Conditional Shipping plugin to the latest version immediately to enforce strict file type validation.

Proactive Monitoring: Review web server directories where user uploads are stored for the presence of unexpected script files (e.g., .php, .phtml).

Compensating Controls: Configure the web server to disable script execution in upload directories and ensure file permissions are restricted to prevent unauthorized modifications.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability represents an extreme risk due to the ease of achieving remote code execution. Immediate patching is required to prevent attackers from establishing persistence or stealing sensitive e-commerce data.