{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4279", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-05T05:52:22.721Z", "datePublished": "2025-05-05T18:22:39.421Z", "dateUpdated": "2026-04-08T17:31:44.393Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:44.393Z"}, "affected": [{"vendor": "muromuro", "product": "External image replace", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The External image replace plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'external_image_replace_get_posts::replace_post' function in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "External image replace <= 1.0.8 - Authenticated (Contributor+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee1624fd-d98b-4953-99dc-a952dda48aa1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/external-image-replace/tags/1.0.8/class.php#L87"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-05-05T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-05T18:35:08.946860Z", "id": "CVE-2025-4279", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T18:35:26.672Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4279", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-05T18:35:08.946860Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T18:35:12.952Z"}}], "cna": {"title": "External image replace <= 1.0.8 - Authenticated (Contributor+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "muromuro", "product": "External image replace", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-05T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee1624fd-d98b-4953-99dc-a952dda48aa1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/external-image-replace/tags/1.0.8/class.php#L87"}], "descriptions": [{"lang": "en", "value": "The External image replace plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'external_image_replace_get_posts::replace_post' function in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:44.393Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4279", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:44.393Z", "dateReserved": "2025-05-05T05:52:22.721Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-05T18:22:39.421Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The External image replace plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'external_image_replace_get_posts::replace_post' function in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento External image replace para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n 'external_image_replace_get_posts::replace_post' en todas las versiones hasta la 1.0.8 incluida. Esto permite que atacantes autenticados, con permisos de colaborador o superiores, carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-4279", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-05T19:15:57.477", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/external-image-replace/tags/1.0.8/class.php#L87"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee1624fd-d98b-4953-99dc-a952dda48aa1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:57:44.711771+00:00", "value": {"mitigation_remediation": ["Upgrade the External image replace plugin to the latest version (1.0.9 or newer) to include the missing file type validation.", "If an immediate update is not available, revoke or reduce contributor upload permissions or disable the plugin for contributor accounts until the patch can be applied.", "Configure the web server or WordPress to enforce strict MIME type checks and a whitelist of allowed image extensions, preventing arbitrary file uploads as a temporary safeguard."], "summary": {"action": "Update Plugin", "impact": "Arbitrary File Upload that may lead to remote code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the muromuro External image replace plugin, versions 1.0.8 and earlier. The vulnerability is present in all releases up to and including 1.0.8.", "description_and_impact": "The External image replace WordPress plugin is vulnerable because its replace_post function performs no file type validation for uploads. This flaw allows an authenticated user with contributor or higher privileges to upload any file type to the web root. When such a file can be executed, it opens the possibility of remote code execution and full site compromise.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is authenticated, meaning any contributor or higher role can exploit the flaw. An attacker could upload malicious files and, if the server allows execution, execute arbitrary code."}}}}, "created": "2026-04-20T23:00:14.175910+00:00", "updated": "2026-04-20T23:00:14.175923+00:00", "vendors": []}