CVE-2025-22654

Critical

Published: 18 February 2025

Published

18 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0818 92.2th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Description

Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using Malicious Files.This issue affects Simplified: from n/a through <= 1.0.6.

Security Summary

CVE-2025-22654 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Simplified WordPress plugin developed by kodeshpa. This issue affects all versions of the plugin from n/a through 1.0.6, enabling attackers to upload malicious files.

The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction. Successful exploitation allows attackers to upload dangerous files, potentially resulting in high-impact confidentiality, integrity, and availability violations, including full system compromise.

Patchstack has issued an advisory detailing the vulnerability as an arbitrary file upload issue in Simplified plugin version 1.0.6, available at https://patchstack.com/database/Wordpress/Plugin/simplified/vulnerability/wordpress-simplified-plugin-plugin-1-0-6-arbitrary-file-upload-vulnerability?_s_id=cve.

Details

CWE(s): CWE-434

References

https://patchstack.com/database/Wordpress/Plugin/simplified/vulnerability/wordpress-simplified-plugin-plugin-1-0-6-arbitrary-file-upload-vulnerability?_s_id=cve
audit@patchstack.com