Cyber Posture

CVE-2025-13536

High

Published: 27 November 2025

Published
27 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when…

more

validation fails in the 'powerpress_edit_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by remediating the flaw in the Blubrry PowerPress plugin through timely patching to versions beyond 11.15.2.

SI-10 Information Input Validation good match
prevent

Requires comprehensive validation of file types and contents during uploads in functions like powerpress_edit_post, countering the plugin's insufficient validation that fails to halt execution.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on file types and inputs accepted by the WordPress system, preventing arbitrary dangerous files from being uploaded via the vulnerable plugin.

Security SummaryAI

CVE-2025-13536 affects the Blubrry PowerPress plugin for WordPress in all versions up to and including 11.15.2. The vulnerability enables arbitrary file uploads due to insufficient file type validation in the 'powerpress_edit_post' function. Specifically, the plugin checks file extensions but fails to halt execution upon validation failure, allowing unauthorized file types to be processed and stored on the server. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading arbitrary files, such as web shells, they can achieve potential remote code execution on the affected WordPress site, leading to high confidentiality, integrity, and availability impacts.

Advisories reference code locations in powerpressadmin.php at lines 2368, 3012, and 3068 in version 11.14.1, along with WordPress plugin changeset 3402635, which likely addresses the validation flaw. Security practitioners should update to a version beyond 11.15.2 and review the Wordfence threat intelligence page for additional details on detection and mitigation.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190), privilege escalation from low-priv Contributor to RCE (T1068), and deployment/execution of web shells (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References