AI description
CVE-2025-3914 affects the Aeropage Sync for Airtable plugin for WordPress. It stems from a lack of file type validation in the `aeropage_media_downloader` function. This vulnerability is present in all versions up to and including 3.2.0. The absence of file type validation allows authenticated attackers with subscriber-level access or higher to upload arbitrary files to the affected server. This could potentially lead to remote code execution, thereby compromising the WordPress site.
- Description
- The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- Hype score
- Not currently trending
Hunters 🔥 Once again, the developer relied only on file extension and mime-type (CVE-2025-3914) 😜 Find these strings in your target code to get your next CVE: fopen( move_uploaded_file( $mimeType FILEINFO_MIME_TYPE $_FILES['file']['type'] in_array($mimeType file_put_content
@chux13786509
26 Apr 2025
2514 Impressions
10 Retweets
67 Likes
37 Bookmarks
0 Replies
0 Quotes
�� CVE-2025-3914 - WordPress - HIGH 🚨 🗓️ Date published 2025-04-26 06:15:16 UTC #WordPress #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/z1OGRTtwar
@vulns_space
26 Apr 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-3914: HIGH] WordPress plugin Aeropage Sync for Airtable is vulnerable to file uploads in 'aeropage_media_downloader' function, up to version 3.2.0, allowing attackers to upload files and possibly exe...#cve,CVE-2025-3914,#cybersecurity https://t.co/aEXz0lznnK https://t.
@CveFindCom
26 Apr 2025
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3914 The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' funct… https://t.co/RroaZ4pgVp
@CVEnew
26 Apr 2025
559 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:aeropage:aeropage_sync_for_airtable:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "6DCF5084-8DF9-4B35-B937-3DCA65B3708D",
"versionEndExcluding": "3.3.0"
}
],
"operator": "OR"
}
]
}
]