Skip to main content

PHP CVE-2025-6086

| EUVDEUVD-2025-18633 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-06-18 security@wordfence.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 22:49 euvd
EUVD-2025-18633
Analysis Generated
Mar 14, 2026 - 22:49 vuln.today
CVE Published
Jun 18, 2025 - 10:15 nvd
HIGH 7.2

DescriptionCVE.org

The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

The CSV Me WordPress plugin versions up to 2.0 contains an arbitrary file upload vulnerability in the 'csv_me_options_page' function due to insufficient file type validation. Authenticated administrators can exploit this to upload arbitrary files to the server, potentially enabling remote code execution. This is a post-authentication privilege abuse vulnerability with high impact on confidentiality, integrity, and availability.

Technical ContextAI

The vulnerability exists in the CSV Me plugin for WordPress (CPE: wp:csv_me:*:*:*:*:*:*:*:*), specifically in the 'csv_me_options_page' function which handles file upload operations. The root cause is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating the plugin fails to properly validate file types before accepting uploads. This is a common WordPress plugin vulnerability pattern where server-side file type checks are either absent, bypassable (e.g., relying only on MIME type headers), or insufficiently restrictive. The vulnerability operates within the WordPress admin context where the upload functionality is typically accessed through the plugin's settings page, with file uploads likely processed through standard WordPress upload handlers without proper extension or content-type whitelisting.

RemediationAI

  • Update CSV Me plugin to a patched version above 2.0 immediately when available from the official WordPress plugin repository or vendor
  • If immediate patching is unavailable, disable the CSV Me plugin until a patch is released to eliminate exploitation surface
  • Implement strict file upload validation at the WordPress level by restricting administrator access to trusted users only and enabling two-factor authentication (2FA) for all admin accounts
  • Configure web server restrictions (e.g., Apache .htaccess, Nginx configuration) to prevent execution of uploaded files, particularly in plugin upload directories: disable PHP execution in wp-content/uploads and related directories
  • Monitor admin access logs and file uploads for suspicious activity, particularly uploads of executable file types (.php, .phtml, .php5, .exe, .sh, etc.)
  • Implement a Web Application Firewall (WAF) rule to detect and block uploads of executable files to the CSV Me plugin upload endpoint
  • Conduct a security audit of the WordPress installation to identify if any unauthorized files were uploaded, particularly in the plugins and uploads directories

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-6086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy