Skip to main content

RexTheme WP VR CVE-2025-47452

| EUVDEUVD-2025-18541 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-06-17 audit@patchstack.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18541
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
CRITICAL 9.9

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR allows Upload a Web Shell to a Web Server. This issue affects WP VR: from n/a through 8.5.26.

AnalysisAI

Critical unrestricted file upload vulnerability in RexTheme WP VR plugin (versions through 8.5.26) that allows authenticated users with low privileges to upload and execute arbitrary web shells on affected WordPress servers. With a CVSS score of 9.9 and network-based attack vector requiring only low privileges, this vulnerability poses an immediate threat to WordPress installations using the affected plugin and likely has active exploitation potential given the ease of weaponization.

Technical ContextAI

This vulnerability stems from improper file upload validation in the WP VR plugin, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The affected technology is a WordPress plugin architecture that fails to implement adequate server-side validation of uploaded file types and content. Specifically, the plugin likely accepts file uploads in user-accessible directories without verifying MIME types, file extensions, or executable content patterns, and may not implement proper Content-Disposition headers or execution restrictions (e.g., .htaccess rules to prevent PHP execution in upload directories). The affected CPE would be approximately: cpe:2.4/a/rextheme:wp_vr:*:*:*:*:*:wordpress:*. The vulnerability affects all versions from unspecified baseline through 8.5.26, indicating a long-standing issue.

RemediationAI

Immediate remediation: (1) Upgrade: Update WP VR plugin to version 8.5.27 or later (version number assumed based on affected range; verify with RexTheme official sources); (2) Interim mitigation (if immediate patching is not possible): Disable the WP VR upload functionality via plugin settings or code-level restrictions; implement .htaccess rules in the wp-content/uploads directory to prevent PHP execution (e.g., 'php_flag engine off'); restrict upload permissions to administrator-only users via Role-Based Access Control; (3) Detection: Scan WordPress file system for suspicious .php, .phtml, .php3, .php4, .php5, .pht, .phar files in wp-content/uploads and plugin directories created after plugin deployment; audit WordPress user roles and revoke unnecessary upload capabilities from non-administrative accounts; (4) Response: Review web server logs for POST requests to upload endpoints; check for webshell execution indicators in access logs (unusual request patterns, outbound connections from web server processes). Contact RexTheme support for official patched version confirmation and CVE advisory details.

Share

CVE-2025-47452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy