Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR allows Upload a Web Shell to a Web Server. This issue affects WP VR: from n/a through 8.5.26.
AnalysisAI
Critical unrestricted file upload vulnerability in RexTheme WP VR plugin (versions through 8.5.26) that allows authenticated users with low privileges to upload and execute arbitrary web shells on affected WordPress servers. With a CVSS score of 9.9 and network-based attack vector requiring only low privileges, this vulnerability poses an immediate threat to WordPress installations using the affected plugin and likely has active exploitation potential given the ease of weaponization.
Technical ContextAI
This vulnerability stems from improper file upload validation in the WP VR plugin, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The affected technology is a WordPress plugin architecture that fails to implement adequate server-side validation of uploaded file types and content. Specifically, the plugin likely accepts file uploads in user-accessible directories without verifying MIME types, file extensions, or executable content patterns, and may not implement proper Content-Disposition headers or execution restrictions (e.g., .htaccess rules to prevent PHP execution in upload directories). The affected CPE would be approximately: cpe:2.4/a/rextheme:wp_vr:*:*:*:*:*:wordpress:*. The vulnerability affects all versions from unspecified baseline through 8.5.26, indicating a long-standing issue.
RemediationAI
Immediate remediation: (1) Upgrade: Update WP VR plugin to version 8.5.27 or later (version number assumed based on affected range; verify with RexTheme official sources); (2) Interim mitigation (if immediate patching is not possible): Disable the WP VR upload functionality via plugin settings or code-level restrictions; implement .htaccess rules in the wp-content/uploads directory to prevent PHP execution (e.g., 'php_flag engine off'); restrict upload permissions to administrator-only users via Role-Based Access Control; (3) Detection: Scan WordPress file system for suspicious .php, .phtml, .php3, .php4, .php5, .pht, .phar files in wp-content/uploads and plugin directories created after plugin deployment; audit WordPress user roles and revoke unnecessary upload capabilities from non-administrative accounts; (4) Response: Review web server logs for POST requests to upload endpoints; check for webshell execution indicators in access logs (unusual request patterns, outbound connections from web server processes). Contact RexTheme support for official patched version confirmation and CVE advisory details.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18541