How to fix CVE-2025-4954?

Within 24 hours: Disable or remove the Axle Demo Importer plugin immediately; audit WordPress user accounts to identify and review all author-level and above users, especially inactive accounts. Within 7 days: Review server logs for suspicious file uploads since the plugin's installation; scan the server for unauthorized PHP files or webshells; implement a Web Application Firewall (WAF) rule to restrict file uploads by extension. Within 30 days: Migrate to an alternative, actively maintained file import solution; establish a plugin vetting and monitoring process; implement least-privilege access controls limiting author roles.

Is PHP affected by CVE-2025-4954?

A high-severity vulnerability in the Axle Demo Importer WordPress plugin allows authenticated users with author-level access or above to upload arbitrary files, including malicious PHP code, potentially leading to complete server compromise.

CVE-2025-4954

EUVD-2025-17629 HIGH

2025-06-10 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17629

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

PoC Detected

Jul 02, 2025 - 16:11 vuln.today

Public exploit code

CVE Published

Jun 10, 2025 - 06:15 nvd

HIGH 8.8

Description

The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server

Analysis

A arbitrary file access vulnerability (CVSS 8.8). Risk factors: public PoC available.

Technical Context

CWE-434 (Unrestricted File Upload). CVSS 8.8 indicates high severity.

Affected Products

['Unspecified product']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: +20

CVE-2025-4954 vulnerability details – vuln.today

Back

CVE-2025-4954

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-4954

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code