CVE-2025-69312
CRITICAL
2026-01-22
[email protected]
9.1
CVSS 3.1
Share
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Lifecycle Timeline
2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 22, 2026 - 17:16 nvd
CRITICAL 9.1
Tags
Description
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
Analysis
Xpro Elementor Addons WordPress plugin has an unrestricted file upload allowing attackers to upload dangerous file types through the Elementor builder integration.
Technical Context
The Xpro Elementor Addons plugin has a CWE-434 unrestricted upload vulnerability that allows uploading files without proper type validation through the Elementor page builder integration.
Affected Products
['Xpro Elementor Addons WordPress plugin']
Remediation
Update the plugin. Restrict file upload types.
Priority Score
46
Low
Medium
High
Critical
KEV: 0
EPSS: +0.1
CVSS: +46
POC: 0
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).