{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11521", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-08T18:45:06.191Z", "datePublished": "2025-11-11T03:30:52.495Z", "dateUpdated": "2026-04-08T17:34:13.448Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:13.448Z"}, "affected": [{"vendor": "astrasecuritysuite", "product": "Astra Security Suite \u2013 Firewall & Malware Scan", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Astra Security Suite \u2013 Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Astra Security Suite \u2013 Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve"}, {"url": "https://wordpress.org/plugins/getastra/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-11-10T15:11:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T14:56:13.418664Z", "id": "CVE-2025-11521", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:04:28.579Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11521", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-12T14:56:13.418664Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T14:56:15.049Z"}}], "cna": {"title": "Astra Security Suite \u2013 Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "astrasecuritysuite", "product": "Astra Security Suite \u2013 Firewall & Malware Scan", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:11:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve"}, {"url": "https://wordpress.org/plugins/getastra/"}], "descriptions": [{"lang": "en", "value": "The Astra Security Suite \u2013 Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:13.448Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11521", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:13.448Z", "dateReserved": "2025-10-08T18:45:06.191Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:52.495Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Astra Security Suite \u2013 Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-11521", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:41.797", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/getastra/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:41:05.893323+00:00", "value": {"mitigation_remediation": ["Upgrade Astra Security Suite \u2013 Firewall & Malware Scan to the latest available release (\u2265\u202f0.3) which removes the vulnerable upload mechanism.", "If an upgrade is not immediately possible, delete or completely uninstall the plugin from the WordPress site to eliminate the risk.", "Temporarily block external URL fetching or restrict the plugin\u2019s upload functionality via firewall rules or .htaccess to prevent remote clients from triggering the download process until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file upload leading to remote code execution"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running Astra Security Suite \u2013 Firewall & Malware Scan version 0.2 or earlier is vulnerable. The issue exists in all releases through including 0.2. Users of later community or paid tiers are not affected as the upload capability was removed or patched.", "description_and_impact": "The Astra Security Suite \u2013 Firewall & Malware Scan plugin for WordPress allows unauthenticated users to upload arbitrary files through the plugin\u2019s remote zip download feature. Insufficient validation of the remote URL and a guessable key in all releases up to 0.2 enable attackers to place executable files on the server, which can subsequently allow remote code execution. The weakness corresponds to CWE\u2011285: Improper Privileges.", "risk_and_exploitability": "The CVSS base score of 8.1 indicates high impact, while the EPSS score of less than 1\u202f% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can abuse the plugin\u2019s upload endpoint from any network location; authentication is not required to trigger the flaw, so the attack surface covers the entire public web server."}}}}, "created": "2025-11-12T12:43:01.131278+00:00", "updated": "2026-04-21T01:45:24.445127+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}