
CVE-2025-47452 – WordPress WP VR <= 8.5.26 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47452
12 Jun 2025 — The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 8.5.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/wpvr/vulnerability/wordpress-wp-vr-8-5-26-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-47559 – WordPress MapSVG plugin <= 8.5.32 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-47559
12 Jun 2025 — The MapSVG plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 8.5.32. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/mapsvg/vulnerability/wordpress-mapsvg-plugin-8-5-32-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-49447 – WordPress FW Food Menu <= 6.0.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49447
12 Jun 2025 — The FW Food Menu – Responsive food menu with ordering & delivery solutions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.0.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/fw-food-menu/vulnerability/wordpress-fw-food-menu-6-0-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-5012 – Workreap <= 3.3.2 - Authenticated (Subscriber+) Arbitrary File Upload via 'workreap_temp_upload_to_media'
https://notcve.org/view.php?id=CVE-2025-5012
11 Jun 2025 — The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'workreap_temp_upload_to_media' function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Workreap para <... • https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454#item-description__release-3-3-3-06-june-2025 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-32510 – WordPress Ovatheme Events Manager plugin <= 1.7.5 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-32510
11 Jun 2025 — The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.7.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/ova-events-manager/vulnerability/wordpress-ovatheme-events-manager-plugin-1-7-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-49071 – WordPress Flozen < 1.5.1 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49071
11 Jun 2025 — The flozen-theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.5.1 (exclusive). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/theme/flozen-theme/vulnerability/wordpress-flozen-1-5-1-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-49444 – WordPress Reformer for Elementor <= 1.0.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49444
11 Jun 2025 — The ReFormer – Multichannel Contact Form for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/reformer-elementor/vulnerability/wordpress-reformer-for-elementor-1-0-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-4954 – Axle Demo Importer <= 1.0.3 - Author+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4954
10 Jun 2025 — The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server The Axle Demo Importer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected ... • https://wpscan.com/vulnerability/673f35ff-e1d5-4099-86e7-8b6e3e410ef8 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-4799 – WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4799
10 Jun 2025 — The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to d... • https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-manager.php#L215 • CWE-36: Absolute Path Traversal •

CVE-2025-5395 – WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5395
10 Jun 2025 — The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/wordpress-automatic-plugin/1904470#item-description__changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •