Skip to main content

PT Luxa Addons CVE-2025-60218

| EUVDEUVD-2025-210224 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-17 Patchstack
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable WordPress endpoint, low complexity, Subscriber (PR:L) account required, no user interaction; uploaded PHP executes outside plugin scope (S:C) yielding full host C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:44 vuln.today

DescriptionCVE.org

Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions.

AnalysisAI

Arbitrary file upload in the PT Luxa Addons WordPress plugin (versions 1.2.2 and earlier) allows authenticated users with low-privilege Subscriber accounts to upload attacker-controlled files to a WordPress site, leading to remote code execution and full site compromise. The scope-changed CVSS 9.9 reflects that a minimally privileged WordPress user can pivot to code execution affecting the entire web server. No public exploit identified at time of analysis.

Technical ContextAI

PT Luxa Addons is a WordPress plugin (vendor wplocker, CPE cpe:2.3:a:wplocker:pt_luxa_addons) that extends page-builder/theme functionality. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): an AJAX or REST endpoint exposed to authenticated users does not properly validate the MIME type, extension, or content of uploaded files, nor does it gate the endpoint behind an appropriate capability check. Because WordPress allows open user registration in many deployments, the Subscriber role - the lowest authenticated tier - is effectively reachable by anyone who can register, turning a privileged-only flaw into a near-unauthenticated one in practice.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack advisory lists versions 1.2.2 and below as vulnerable without naming a fixed release. Site operators should deactivate and remove the PT Luxa Addons plugin until the vendor publishes a patched version, monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/pt-luxa-addons/vulnerability/wordpress-pt-luxa-addons-plugin-1-2-2-arbitrary-file-upload-vulnerability for an upgrade target, and as compensating controls disable open WordPress registration (Settings → General → Membership) to remove the Subscriber-access prerequisite, deny PHP execution in wp-content/uploads via web-server rules (the standard hardening that breaks dynamic content served from uploads but stops uploaded webshells from executing), and apply a virtual patch through a WAF such as Patchstack or Wordfence to block the vulnerable upload endpoint. Audit wp-content/uploads and the plugin's upload directory for unexpected .php, .phtml, or double-extension files before re-enabling functionality.

Share

CVE-2025-60218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy