CVE-2025-3054

| EUVD-2025-16962 HIGH
2025-06-05 [email protected]
WordPress RCE PHP
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 17:53 euvd
EUVD-2025-16962
Analysis Generated
Mar 14, 2026 - 17:53 vuln.today
CVE Published
Jun 05, 2025 - 06:15 nvd
HIGH 8.8

DescriptionNVD

The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this requires the 'Private Message' module to be enabled and the Business version of the PRO software to be in use.

AnalysisAI

WP User Frontend Pro plugin for WordPress versions up to 4.1.3 contains an arbitrary file upload vulnerability in the upload_files() function due to missing file type validation, allowing authenticated Subscriber-level users to upload malicious files and achieve remote code execution. This vulnerability is particularly dangerous because it requires only Subscriber-level privileges (the lowest authenticated role in WordPress) and no user interaction, making it a high-severity post-authentication attack vector. The vulnerability is conditional on the Private Message module being enabled and requires the Business version of the PRO software.

Technical ContextAI

The vulnerability resides in the WP User Frontend Pro WordPress plugin (CPE: wp:wp_user_frontend_pro or wordpress:wp_user_frontend_pro), specifically in the upload_files() function which handles file uploads for the Private Message module. The root cause is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), a well-known file upload validation weakness. The plugin fails to properly validate file types before persisting uploaded files to the server, allowing attackers to bypass WordPress's typical file upload restrictions. This is particularly critical in WordPress environments where uploaded files landing in the web-accessible directory (typically wp-content/uploads/) can be directly executed as PHP code if the web server is configured to parse PHP in that directory. The Private Message module specifically handles file attachments, making it the attack surface for this vulnerability.

RemediationAI

Immediate actions: (1) Update WP User Frontend Pro to version 4.1.4 or later when available (patch version not specified in description; contact vendor for availability); (2) If immediate patching is not possible, disable the Private Message module in WP User Frontend Pro settings until patched; (3) Restrict Subscriber role upload capabilities via WordPress role/capability plugins (e.g., User Role Editor) to minimize attack surface; (4) Implement file upload restrictions at the web server level (e.g., mod_rewrite rules preventing PHP execution in wp-content/uploads/); (5) Review user accounts with Subscriber or higher roles and remove unnecessary accounts; (6) Monitor uploads directory for suspicious files (PHP, shell scripts, executables). Vendor advisory: Check WP User Frontend official plugin repository and security advisories for patch version 4.1.4+. Long-term: Implement Web Application Firewall (WAF) rules to detect polyglot or double-extension file uploads; enforce strict MIME type validation both client and server-side.

Share

CVE-2025-3054 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy