CVE-2025-10041

CRITICAL
2025-10-15 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 18:38 vuln.today
CVE Published
Oct 15, 2025 - 09:15 nvd
CRITICAL 9.8

Tags

WordPress File Upload RCE

Description

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Analysis

Arbitrary file upload in Flex QR Code Generator plugin (WordPress) versions ≤1.2.5 allows unanauthenticated remote attackers to upload malicious files without restriction, enabling remote code execution on vulnerable web servers. The flaw stems from absent file type validation in the save_qr_code_to_db() function, accessible over the network with no authentication barrier. With CVSS 9.8 (critical) and EPSS data unavailable, this represents a severe exposure for WordPress sites running the affected plugin. No public exploit identified at time of analysis, and not listed in CISA KEV, but the trivial attack complexity (AC:L, PR:N) makes this a high-priority remediation target.

Technical Context

This vulnerability manifests in the save_qr_code_to_db() function within the Flex QR Code Generator WordPress plugin, which fails to validate file types during upload operations. The affected code resides at line 208 of qr-code-generator.php (version 1.2.5). The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), a classic web application security weakness where user-supplied files are accepted without verifying extensions, MIME types, or content signatures. WordPress plugins frequently implement custom file handling outside the platform's core media upload functions, which include built-in security checks. When developers bypass these safeguards without implementing equivalent validation, attackers can upload PHP web shells, executable scripts, or other malicious payloads disguised as legitimate file types. Once uploaded to a web-accessible directory, these files can be directly invoked via HTTP requests, executing arbitrary code in the context of the web server process. The plugin's QR code generation functionality likely accepts user input for customization, and this input path became an attack vector due to insufficient server-side sanitization.

Affected Products

The vulnerability affects the Flex QR Code Generator plugin for WordPress, specifically all versions up to and including 1.2.5. The plugin is distributed through the official WordPress plugin repository at wordpress.org/plugins/flex-qr-code-generator. Based on the Wordfence vulnerability reference (ID 40000879-a5ef-48f2-97e4-77d527259af0) and code-level references pointing to the 1.2.5 tag in the WordPress plugin Trac repository, sites running version 1.2.5 or earlier contain the exploitable save_qr_code_to_db() function without file type validation. The vendor advisory and changeset are documented at plugins.trac.wordpress.org under changeset 3379026. WordPress administrators can verify installed versions through the Plugins dashboard in wp-admin or by checking the plugin's main PHP file header.

Remediation

WordPress site administrators should immediately update the Flex QR Code Generator plugin to version 1.2.6 or later, which addresses the file upload validation weakness. The vendor-released patch is available through the WordPress plugin repository and can be applied via the automatic update mechanism in the WordPress admin dashboard (Plugins > Installed Plugins > Update Available). For sites with automatic updates enabled, verify that the update has been successfully applied by checking the installed version number. As an interim mitigation if patching is delayed, administrators can deactivate and remove the plugin entirely until the update is deployed. Review web server logs for suspicious file upload activity targeting the plugin's endpoint, particularly POST requests to paths containing save_qr_code_to_db or QR code generation functions. Inspect the WordPress uploads directory and plugin-specific directories for unexpected PHP files, shell scripts, or executable content uploaded between the vulnerability disclosure date and patch application. Detailed technical information and the corrected code are available in WordPress changeset 3379026 at plugins.trac.wordpress.org. Wordfence users can reference threat intelligence ID 40000879-a5ef-48f2-97e4-77d527259af0 for additional detection signatures and indicators of compromise.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-10041 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy