CVE-2025-4413

| EUVD-2025-18639 HIGH
2025-06-18 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 22:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:49 euvd
EUVD-2025-18639
CVE Published
Jun 18, 2025 - 03:15 nvd
HIGH 8.8

Tags

WordPress RCE PHP Privilege Escalation

Description

The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Analysis

The Pixabay Images plugin for WordPress versions up to 3.4 contains an arbitrary file upload vulnerability in the pixabay_upload function due to missing file type validation. Authenticated attackers with Author-level access or higher can upload arbitrary files to the server, potentially enabling remote code execution. This vulnerability has a CVSS score of 8.8 (High) and represents a significant risk to WordPress installations using this plugin.

Technical Context

The vulnerability exists in the pixabay_upload function within the Pixabay Images WordPress plugin. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating the application fails to properly validate and restrict file types during upload operations. WordPress plugins execute with the privileges of the WordPress application itself, meaning uploaded executable files (PHP, etc.) would execute with web server privileges. The plugin integrates with Pixabay's image API but fails to enforce file type restrictions on user-supplied uploads, allowing bypass of WordPress's standard security mechanisms. The vulnerability requires authentication (Author-level minimum), placing it within the authenticated attacker threat model common in WordPress supply-chain and insider threats.

Affected Products

Pixabay Images WordPress Plugin: Versions 0.0.1 through 3.4 (inclusive). Affected installations are WordPress sites with: (1) Pixabay Images plugin installed and active, (2) Users with Author role or above (Administrator, Editor, Author roles). The vulnerability affects multi-user WordPress installations where multiple authors are present. CPE representation would be: cpe:2.3:a:pixabay:pixabay_images:*:*:*:*:*:wordpress:*:* (versions 0.0.1-3.4). Patch availability: Version 3.5 or later contains fixes (inferred from "up to, and including, 3.4" language).

Remediation

Immediate actions: (1) Update Pixabay Images plugin to version 3.5 or later immediately via WordPress admin dashboard Plugins > Updates, or manually download from wordpress.org plugin repository. (2) If update is unavailable, deactivate and remove the Pixabay Images plugin entirely. (3) Restrict Author-level user creation and audit existing Author accounts for suspicious file uploads. (4) Review wp-content/uploads directory for unexpected or executable files (*.php, *.phtml, *.php3, etc.). (5) Implement file type restrictions at web server level (deny PHP execution in uploads directory via .htaccess or web server configuration). (6) Conduct WordPress audit to identify any webshells or backdoors planted via this vulnerability. (7) Review access logs for suspicious uploads correlating with Author-level account activity. Contact plugin author/check wordpress.org/plugins/pixabay-images for official patch advisory and timeline.

Priority Score

45
Low Medium High Critical
KEV: 0
EPSS: +0.5
CVSS: +44
POC: 0

Share

CVE-2025-4413 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy