{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4413", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-07T10:18:02.747Z", "datePublished": "2025-06-18T02:21:37.425Z", "dateUpdated": "2026-04-08T16:49:28.917Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:28.917Z"}, "affected": [{"vendor": "byrev", "product": "Pixabay Images", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Pixabay Images <= 3.4 - Authenticated (Author+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44e71dea-d736-49c2-a630-f42905ac6b4d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pixabay-images/trunk/pixabay-images.php#L177"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Siavash Vaez Afshar"}], "timeline": [{"time": "2025-04-17T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-06-17T14:04:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-18T14:56:36.597300Z", "id": "CVE-2025-4413", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-18T14:57:43.040Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-18T14:56:36.597300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-18T14:57:39.430Z"}}], "cna": {"title": "Pixabay Images <= 3.4 - Authenticated (Author+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Siavash Vaez Afshar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "byrev", "product": "Pixabay Images", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-17T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-06-17T14:04:37.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44e71dea-d736-49c2-a630-f42905ac6b4d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/pixabay-images/trunk/pixabay-images.php#L177"}], "descriptions": [{"lang": "en", "value": "The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-06-18T02:21:37.425Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4413", "state": "PUBLISHED", "dateUpdated": "2025-06-18T14:57:43.040Z", "dateReserved": "2025-05-07T10:18:02.747Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-18T02:21:37.425Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El complemento Pixabay Images para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n pixabay_upload en todas las versiones hasta la 3.4 incluida. Esto permite que atacantes autenticados, con acceso de autor o superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-4413", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-18T03:15:25.560", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/pixabay-images/trunk/pixabay-images.php#L177"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44e71dea-d736-49c2-a630-f42905ac6b4d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:10:45.378126+00:00", "value": {"mitigation_remediation": ["Upgrade the Pixabay Images plugin to the latest version (3.5 or newer) where file type validation has been added.", "If an upgrade is not immediately possible, remove upload capabilities from the Author role or any role that does not require file uploads by adjusting WordPress capabilities or using a plugin that limits file permissions.", "Enforce file type restrictions on the server or with a security plugin to block non\u2011image uploads.", "Continuously monitor the upload directory for unexpected or executable files and audit access logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via arbitrary file upload"}, "threat_synthesis": {"affected_systems": "Byrev\u2019s Pixabay Images plugin for WordPress, versions up to and including 3.4, is vulnerable. Any site using a WordPress installation with this plugin version is at risk.", "description_and_impact": "The Pixabay Images plugin for WordPress allows authenticated users with Author or higher access to upload arbitrary files because the pixabay_upload function lacks file type validation. The missing validation permits malicious files, including scripts, to be stored on the web server, which could lead to remote code execution. This is a classic example of CWE-434.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.8, indicating high severity, and an EPSS score of 1%, reflecting a moderate likelihood of exploitation. It is not listed in CISA\u2019s KEV catalog. Authenticated attackers exploiting this flaw would likely do so via normal WordPress login as an Author or higher role, after which they can upload malicious files to trigger code execution."}}}}, "created": "2026-04-21T20:15:44.578767+00:00", "updated": "2026-04-21T20:15:44.578780+00:00", "vendors": []}