EUVD-2025-19225CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Unrestricted Upload of File with Dangerous Type vulnerability in merkulove Reformer for Elementor allows Upload a Web Shell to a Web Server. This issue affects Reformer for Elementor: from n/a through 1.0.5.
Analysis
Critical unrestricted file upload vulnerability in merkulove Reformer for Elementor (versions through 1.0.5) that allows unauthenticated attackers to upload arbitrary files, including web shells, to affected servers. With a perfect CVSS 10.0 score and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete remote code execution and server compromise. Given the prevalence of Elementor in WordPress ecosystems and the trivial exploitation requirements, this represents an immediate and severe threat to all unpatched installations.
Technical Context
The vulnerability resides in the Reformer for Elementor WordPress plugin, a form-building extension for the popular Elementor page builder. The root cause is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating insufficient validation of uploaded file types and content. The plugin's file upload handler fails to implement proper server-side validation, allowing attackers to bypass client-side or weak restrictions and upload executable code (PHP, JSP, ASP, etc.) disguised as legitimate files. This is a classic arbitrary file upload vulnerability that directly enables web shell deployment. Affected versions span from initial release through 1.0.5, suggesting the vulnerability existed since the plugin's inception.
Affected Products
merkulove Reformer for Elementor: versions n/a through 1.0.5 (all versions up to and including 1.0.5). The plugin specifically integrates with WordPress and the Elementor page builder framework. Affected installations are: (1) WordPress sites using Elementor page builder; (2) Installations with Reformer for Elementor plugin active; (3) Any version ≤1.0.5 regardless of WordPress or Elementor version. No CPE string explicitly provided in source data, but typical CPE would approximate: cpe:2.3:a:merkulove:reformer_for_elementor:*:*:*:*:*:wordpress:*:*. Vendor: merkulove; Product: Reformer for Elementor; Affected versions: <1.0.6 (implied patched version).
Remediation
Immediate actions: (1) Update Reformer for Elementor to version 1.0.6 or later if available—verify patch release on WordPress.org plugin repository or merkulove's official channels; (2) If patch unavailable, immediately disable and deactivate the Reformer for Elementor plugin until patched; (3) If exploitation is suspected (recent file uploads, suspicious PHP files in wp-content/uploads), conduct forensic investigation and remove web shells; (4) Implement Web Application Firewall (WAF) rules to block PHP/executable uploads to wp-content/uploads directory; (5) Apply principle of least privilege—restrict file upload permissions at filesystem level; (6) Monitor for file uploads via logging and behavioral anomaly detection. Long-term: (1) Subscribe to merkulove security advisories; (2) Implement automated plugin update testing and deployment; (3) Consider using security plugins that prevent dangerous file uploads; (4) Audit all uploaded files for executable content.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today