{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4391", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-06T19:34:58.959Z", "datePublished": "2025-05-17T05:30:33.888Z", "dateUpdated": "2026-04-08T17:00:51.207Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:51.207Z"}, "affected": [{"vendor": "CodeRevolution", "product": "Echo RSS Feed Post Generator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.4.8.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Echo RSS Feed Post Generator <= 5.4.8.1 - Unauthenticated Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72de9f64-f3e0-4705-adc1-6c22076b382f?source=cve"}, {"url": "https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-05-16T16:28:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-19T15:42:54.531413Z", "id": "CVE-2025-4391", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T15:43:30.931Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-19T15:42:54.531413Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T15:43:01.077Z"}}], "cna": {"title": "Echo RSS Feed Post Generator <= 5.4.8.1 - Unauthenticated Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "CodeRevolution", "product": "Echo RSS Feed Post Generator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.4.8.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-16T16:28:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72de9f64-f3e0-4705-adc1-6c22076b382f?source=cve"}, {"url": "https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974"}], "descriptions": [{"lang": "en", "value": "The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:51.207Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4391", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:51.207Z", "dateReserved": "2025-05-06T19:34:58.959Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-17T05:30:33.888Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Echo RSS Feed Post Generator para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n echo_generate_featured_image() en todas las versiones hasta la 5.4.8.1 incluida. Esto permite que atacantes no autenticados carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-4391", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-17T06:15:19.140", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72de9f64-f3e0-4705-adc1-6c22076b382f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:45:55.596644+00:00", "value": {"mitigation_remediation": ["Upgrade Echo RSS Feed Post Generator to a version newer than 5.4.8.1 or install a patch that enforces file type validation.", "If an upgrade is not immediately possible, block unauthenticated access to the plugin\u2019s upload endpoint using .htaccess rules or a security plugin that restricts file uploads to authenticated users.", "Configure the server so that the directory used for uploads is not executable and monitor server logs for suspicious upload attempts."], "summary": {"action": "Immediate patch", "impact": "Remote code execution via arbitrary file upload"}, "threat_synthesis": {"affected_systems": "The affected product is CodeRevolution\u2019s Echo RSS Feed Post Generator plugin for WordPress. All releases through 5.4.8.1 are vulnerable; any installation of the plugin with a version number of 5.4.8.1 or older is at risk.", "description_and_impact": "The Echo RSS Feed Post Generator plugin for WordPress allows file uploads without validating the file type in the echo_generate_featured_image() function, which is present in all versions up to and including 5.4.8.1. This missing validation enables an attacker who does not have to authenticate to the WordPress site to upload any file they choose to the server. Because the uploaded content can be executed by the web server, an attacker could place a malicious script and then run it, giving them the ability to execute arbitrary code on the host. The flaw is a classic example of CWE\u2011434, unvalidated file upload.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score of 2% shows that attacks are unlikely but the probability is non\u2011zero, and the issue is not yet listed in CISA's KEV catalog. Attackers do not need network access to the WordPress admin interface; they only need to be able to reach the upload endpoint, typically a publicly accessible URL, making the attack straightforward once the plugin is present."}}}}, "created": "2026-04-21T21:00:35.996194+00:00", "updated": "2026-04-21T21:00:35.996208+00:00", "vendors": []}