EUVD-2025-19225

| CVE-2025-49444 CRITICAL
2025-06-17 [email protected]
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-19225
CVE Published
Jun 17, 2025 - 15:15 nvd
CRITICAL 10.0

Tags

File Upload

Description

Unrestricted Upload of File with Dangerous Type vulnerability in merkulove Reformer for Elementor allows Upload a Web Shell to a Web Server. This issue affects Reformer for Elementor: from n/a through 1.0.5.

Analysis

Critical unrestricted file upload vulnerability in merkulove Reformer for Elementor (versions through 1.0.5) that allows unauthenticated attackers to upload arbitrary files, including web shells, to affected servers. With a perfect CVSS 10.0 score and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete remote code execution and server compromise. Given the prevalence of Elementor in WordPress ecosystems and the trivial exploitation requirements, this represents an immediate and severe threat to all unpatched installations.

Technical Context

The vulnerability resides in the Reformer for Elementor WordPress plugin, a form-building extension for the popular Elementor page builder. The root cause is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating insufficient validation of uploaded file types and content. The plugin's file upload handler fails to implement proper server-side validation, allowing attackers to bypass client-side or weak restrictions and upload executable code (PHP, JSP, ASP, etc.) disguised as legitimate files. This is a classic arbitrary file upload vulnerability that directly enables web shell deployment. Affected versions span from initial release through 1.0.5, suggesting the vulnerability existed since the plugin's inception.

Affected Products

merkulove Reformer for Elementor: versions n/a through 1.0.5 (all versions up to and including 1.0.5). The plugin specifically integrates with WordPress and the Elementor page builder framework. Affected installations are: (1) WordPress sites using Elementor page builder; (2) Installations with Reformer for Elementor plugin active; (3) Any version ≤1.0.5 regardless of WordPress or Elementor version. No CPE string explicitly provided in source data, but typical CPE would approximate: cpe:2.3:a:merkulove:reformer_for_elementor:*:*:*:*:*:wordpress:*:*. Vendor: merkulove; Product: Reformer for Elementor; Affected versions: <1.0.6 (implied patched version).

Remediation

Immediate actions: (1) Update Reformer for Elementor to version 1.0.6 or later if available—verify patch release on WordPress.org plugin repository or merkulove's official channels; (2) If patch unavailable, immediately disable and deactivate the Reformer for Elementor plugin until patched; (3) If exploitation is suspected (recent file uploads, suspicious PHP files in wp-content/uploads), conduct forensic investigation and remove web shells; (4) Implement Web Application Firewall (WAF) rules to block PHP/executable uploads to wp-content/uploads directory; (5) Apply principle of least privilege—restrict file upload permissions at filesystem level; (6) Monitor for file uploads via logging and behavioral anomaly detection. Long-term: (1) Subscribe to merkulove security advisories; (2) Implement automated plugin update testing and deployment; (3) Consider using security plugins that prevent dangerous file uploads; (4) Audit all uploaded files for executable content.

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +50
POC: 0

Share

EUVD-2025-19225 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy