CVE-2025-6553

CVE-2025-6553 is a high-severity vulnerability in the Ovatheme Events Manager plugin for WordPress, affecting all versions up to and including 1.8.5. It stems from missing file type validation in the process_checkout() function, enabling arbitrary file uploads. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical risk due to its potential for severe confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed checkout process, they can upload arbitrary files to the affected WordPress site's server, potentially leading to remote code execution if executable files like web shells are uploaded and invoked.

Mitigation guidance is referenced in advisories including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/808392a9-dbac-4896-8677-6ddc1213d80d?source=cve and the theme's change log on ThemeForest at https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579#item-description__change_log, with the plugin hosted via https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579. Security practitioners should update to a patched version if available and review sites using this plugin for unauthorized uploads.