CVE-2025-3914

Published Apr 26, 2025

Last updated a year ago

CVSS high 8.8
WordPress
Airtable

Overview

Description
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source
security@wordfence.com
NVD status
Analyzed
Products
aeropage_sync_for_airtable

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@wordfence.com
CWE-434
nvd@nist.gov
CWE-434

Social media

Hype score
Not currently trending

  1. Hunters 🔥 Once again, the developer relied only on file extension and mime-type (CVE-2025-3914) 😜 Find these strings in your target code to get your next CVE: fopen( move_uploaded_file( $mimeType FILEINFO_MIME_TYPE $_FILES['file']['type'] in_array($mimeType file_put_content

    @chux13786509

    26 Apr 2025

    2514 Impressions

    10 Retweets

    67 Likes

    37 Bookmarks

    0 Replies

    0 Quotes

  2. �� CVE-2025-3914 - WordPress - HIGH 🚨 🗓️ Date published 2025-04-26 06:15:16 UTC #WordPress #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/z1OGRTtwar

    @vulns_space

    26 Apr 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-3914: HIGH] WordPress plugin Aeropage Sync for Airtable is vulnerable to file uploads in 'aeropage_media_downloader' function, up to version 3.2.0, allowing attackers to upload files and possibly exe...#cve,CVE-2025-3914,#cybersecurity https://t.co/aEXz0lznnK https://t.

    @CveFindCom

    26 Apr 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-3914 The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' funct… https://t.co/RroaZ4pgVp

    @CVEnew

    26 Apr 2025

    559 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2026-2486
  2. WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.CVE-2026-26370
  3. The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.CVE-2025-67846
  4. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.CVE-2025-9501
  5. The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.CVE-2025-8085

References

Sources include official advisories and independent security research.