PRP: PPOM (WordPress plugin) CVE-2025-11391 Arbitrary File Upload

[a3vX]

• Identifier of the vulnerability: CVE-2025-11391
• Affected software: PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress
• Type of vulnerability: RCE
• Requires authentication: No
• Language you would use for writing the plugin: Templated plugins
• Resources:
  • https://nvd.nist.gov/vuln/detail/CVE-2025-11391 (CVSS 9.8 CRITICAL)
  • https://www.wordfence.com/threat-intel/vulnerabilities/id/cf851bed-f5d8-44e2-810d-906ba3d3c1c5?source=cve
  • https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/inc/hooks.php#L45

Hi,
This WordPress plugin (over 1 million downloads and 20K active installs) is vulnerable to unauthenticated remote code execution through a file upload vulnerability.
Is this something that you would be interested in?
Thanks!

--a3vX

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 1 issues tagged as main;
• The contributor has 3 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[tooryx]

Automated message: Do not reply to that comment or tag the author. We just announced a temporary program freeze please see #752 for details. Thank you for your understanding and patience.