CVE-2025-6086

| EUVD-2025-18633 HIGH
2025-06-18 [email protected]
WordPress RCE PHP
7.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 22:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:49 euvd
EUVD-2025-18633
CVE Published
Jun 18, 2025 - 10:15 nvd
HIGH 7.2

DescriptionNVD

The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

The CSV Me WordPress plugin versions up to 2.0 contains an arbitrary file upload vulnerability in the 'csv_me_options_page' function due to insufficient file type validation. Authenticated administrators can exploit this to upload arbitrary files to the server, potentially enabling remote code execution. This is a post-authentication privilege abuse vulnerability with high impact on confidentiality, integrity, and availability.

Technical ContextAI

The vulnerability exists in the CSV Me plugin for WordPress (CPE: wp:csv_me:*:*:*:*:*:*:*:*), specifically in the 'csv_me_options_page' function which handles file upload operations. The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating the plugin fails to properly validate file types before accepting uploads. This is a common WordPress plugin vulnerability pattern where server-side file type checks are either absent, bypassable (e.g., relying only on MIME type headers), or insufficiently restrictive. The vulnerability operates within the WordPress admin context where the upload functionality is typically accessed through the plugin's settings page, with file uploads likely processed through standard WordPress upload handlers without proper extension or content-type whitelisting.

RemediationAI

  • Update CSV Me plugin to a patched version above 2.0 immediately when available from the official WordPress plugin repository or vendor
  • If immediate patching is unavailable, disable the CSV Me plugin until a patch is released to eliminate exploitation surface
  • Implement strict file upload validation at the WordPress level by restricting administrator access to trusted users only and enabling two-factor authentication (2FA) for all admin accounts
  • Configure web server restrictions (e.g., Apache .htaccess, Nginx configuration) to prevent execution of uploaded files, particularly in plugin upload directories: disable PHP execution in wp-content/uploads and related directories
  • Monitor admin access logs and file uploads for suspicious activity, particularly uploads of executable file types (.php, .phtml, .php5, .exe, .sh, etc.)
  • Implement a Web Application Firewall (WAF) rule to detect and block uploads of executable files to the CSV Me plugin upload endpoint
  • Conduct a security audit of the WordPress installation to identify if any unauthorized files were uploaded, particularly in the plugins and uploads directories

Share

CVE-2025-6086 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy