CVE-2025-3917

Published May 15, 2025

Last updated a month ago

CVSS critical 9.8

Overview

Description
The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-434

Social media

Hype score
Not currently trending

  1. [CVE-2025-3917: CRITICAL] WordPress 百度站长SEO合集 plugin has a security flaw allowing arbitrary file uploads by attackers, potentially leading to remote code execution.Upgrade to version 2.0.7 for a fix.#cve,CVE-2025-3917,#cybersecurity https://t.co/JJszzu8bae https://t.c

    @CveFindCom

    15 May 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.