{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10000", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-04T17:46:09.848Z", "datePublished": "2025-09-30T03:35:26.344Z", "dateUpdated": "2026-04-08T16:48:18.367Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:18.367Z"}, "affected": [{"vendor": "wpchill", "product": "Qyrr \u2013 simply and modern QR-Code creation", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Qyrr \u2013 simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Qyrr \u2013 simply and modern QR-Code creation <= 2.0.7 - Authenticated (Contributor+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ff54694-64c4-4112-b126-aabd3e09144b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qyrr-code/trunk/inc/class-qyrr-rest.php#L94"}, {"url": "https://plugins.trac.wordpress.org/changeset/3454683/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "timeline": [{"time": "2025-09-29T15:22:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T13:18:01.301515Z", "id": "CVE-2025-10000", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T13:18:11.965Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10000", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T13:18:01.301515Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T13:18:07.795Z"}}], "cna": {"title": "Qyrr \u2013 simply and modern QR-Code creation <= 2.0.7 - Authenticated (Contributor+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "patrickposner", "product": "Qyrr \u2013 simply and modern QR-Code creation", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-29T15:22:20.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ff54694-64c4-4112-b126-aabd3e09144b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qyrr-code/trunk/inc/class-qyrr-rest.php#L94"}], "descriptions": [{"lang": "en", "value": "The Qyrr \u2013 simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-30T03:35:26.344Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10000", "state": "PUBLISHED", "dateUpdated": "2025-09-30T13:18:11.965Z", "dateReserved": "2025-09-04T17:46:09.848Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-30T03:35:26.344Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Qyrr \u2013 simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-10000", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-30T11:37:36.833", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/qyrr-code/trunk/inc/class-qyrr-rest.php#L94"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3454683/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ff54694-64c4-4112-b126-aabd3e09144b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:52:31.457912+00:00", "value": {"mitigation_remediation": ["Upgrade the Qyrr plugin to the latest released version, which is expected to remove the missing file type validation in blob_to_file()", "If a quick upgrade is not possible, revoke or restrict Contributor and higher roles from accessing the upload endpoint \u2013 for example by disabling that capability or disabling the upload feature for non-administrators", "Consider deactivating or uninstalling the Qyrr plugin if it is not essential to site functionality"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file upload potentially enabling remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed wpchill\u2019s Qyrr \u2013 simply and modern QR-Code creation plugin version 2.0.7 or earlier are affected. The vulnerability resides within the plugin\u2019s core upload logic, so any site using those versions, regardless of other themes or plugins, is at risk.", "description_and_impact": "The Qyrr \u2013 simply and modern QR-Code creation plugin for WordPress contains a flaw in the blob_to_file() routine that fails to validate uploaded file types. An authenticated user with Contributor or higher privileges can submit any file, thereby gaining the ability to place executable content on the web root. This creates a potential vector for remote code execution if the attacker uploads a crafted script or webshell. The issue relies on missing server-side validation, a classic case of unsafe file upload practice.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate risk, while the EPSS score is below 1% and the flaw is not listed in CISA\u2019s KEV catalog. The attack vector requires authentication; any user with Contributor-level role or higher can trigger the flaw. Once an arbitrary file is uploaded, an attacker may achieve remote code execution depending on server configuration. As long as contributors retain access to the upload functionality, the threat remains realistic for affected sites."}}}}, "created": "2025-09-30T08:47:19.910407+00:00", "updated": "2026-04-22T17:00:12.325430+00:00", "vendors": ["patrickposner", "patrickposner$PRODUCT$qyrr", "wordpress", "wordpress$PRODUCT$wordpress"]}