Skip to main content

PerfreeBlog CVE-2025-60735

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-10-24 cve@mitre.org
7.6
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
8.8 HIGH

Network-reachable installPlugin needs at least low-privilege auth (PR:L, AC:L); arbitrary file upload yields web-shell code execution, so C/I/A are all High rather than NVD's Low.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:08 vuln.today

DescriptionCVE.org

PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function

AnalysisAI

Arbitrary file upload in PerfreeBlog 4.0.11 lets an authenticated user abuse the installPlugin function to upload malicious files, likely enabling web shell deployment and remote code execution on the blog server. A public technical write-up with proof-of-concept exists on GitHub, though the flaw is not listed in CISA KEV and carries a low EPSS score (0.28%, 20th percentile), indicating no confirmed widespread exploitation yet.

Technical ContextAI

PerfreeBlog is a Java-based blogging/CMS platform (perfree.org.cn) built around an extensible plugin architecture. The vulnerability resides in the installPlugin function, which handles plugin package uploads and installation. It is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type): the installer fails to properly validate the type, extension, or content of uploaded plugin files, allowing a crafted file (for example a JSP/servlet or executable payload disguised as a plugin) to be written into a server-accessible or executable location. The affected build is precisely identified by CPE cpe:2.3:a:perfree:perfreeblog:4.0.11.

RemediationAI

No vendor-released patched version is identified in the available data at time of analysis, so monitor the vendor at https://perfree.org.cn/ and the project release channel for a fixed build superseding 4.0.11. As compensating controls, restrict network access to the administrative and plugin-management endpoints (for example via IP allowlisting, VPN, or a reverse-proxy rule blocking the installPlugin route) so only trusted operators can reach it; enforce strong, unique credentials and least-privilege accounts since exploitation requires authentication (PR:L); and place a WAF or upload-filtering rule in front of the application to reject plugin uploads containing executable content such as JSP, servlet, or script payloads. The trade-offs are that blocking or filtering the plugin-install route disables legitimate plugin installation until a fix is applied, and WAF content rules may need tuning to avoid breaking valid plugin packages. Additionally review the plugin storage directory for unexpected files as a detection measure, and consult the GitHub write-up above to build precise signatures.

Share

CVE-2025-60735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy