Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable WordPress endpoint, low complexity, Subscriber (PR:L) account required, no user interaction; uploaded PHP executes outside plugin scope (S:C) yielding full host C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions.
AnalysisAI
Arbitrary file upload in the PT Luxa Addons WordPress plugin (versions 1.2.2 and earlier) allows authenticated users with low-privilege Subscriber accounts to upload attacker-controlled files to a WordPress site, leading to remote code execution and full site compromise. The scope-changed CVSS 9.9 reflects that a minimally privileged WordPress user can pivot to code execution affecting the entire web server. No public exploit identified at time of analysis.
Technical ContextAI
PT Luxa Addons is a WordPress plugin (vendor wplocker, CPE cpe:2.3:a:wplocker:pt_luxa_addons) that extends page-builder/theme functionality. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): an AJAX or REST endpoint exposed to authenticated users does not properly validate the MIME type, extension, or content of uploaded files, nor does it gate the endpoint behind an appropriate capability check. Because WordPress allows open user registration in many deployments, the Subscriber role - the lowest authenticated tier - is effectively reachable by anyone who can register, turning a privileged-only flaw into a near-unauthenticated one in practice.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory lists versions 1.2.2 and below as vulnerable without naming a fixed release. Site operators should deactivate and remove the PT Luxa Addons plugin until the vendor publishes a patched version, monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/pt-luxa-addons/vulnerability/wordpress-pt-luxa-addons-plugin-1-2-2-arbitrary-file-upload-vulnerability for an upgrade target, and as compensating controls disable open WordPress registration (Settings → General → Membership) to remove the Subscriber-access prerequisite, deny PHP execution in wp-content/uploads via web-server rules (the standard hardening that breaks dynamic content served from uploads but stops uploaded webshells from executing), and apply a virtual patch through a WAF such as Patchstack or Wordfence to block the vulnerable upload endpoint. Audit wp-content/uploads and the plugin's upload directory for unexpected .php, .phtml, or double-extension files before re-enabling functionality.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210224