CVE-2025-2006
Published: 29 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-2006 is an arbitrary file upload vulnerability in the Inline Image Upload for BBPress plugin for WordPress, affecting all versions up to and including 1.1.19. The flaw arises from missing file extension validation in the file uploading functionality, classified under CWE-434 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Published on 2025-03-29, it allows attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution.
Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability by uploading malicious files during image upload operations within BBPress forums. If the site's configuration enables the "Allow guest users without accounts to create topics and replies" setting, unauthenticated attackers may also gain this capability, broadening the attack surface significantly.
Advisories, including Wordfence's threat intelligence report, reference the vulnerable code at line 136 in bbp-image-upload.php (tags/1.1.19) and a specific changeset (3264738) in the plugin's Trac repository, indicating paths to patches or fixes for mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file upload vuln in public-facing WordPress plugin directly enables T1190 (exploiting public-facing app for initial access) and T1505.003 (uploading/executing web shell for RCE).