{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69403", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:23.066Z", "datePublished": "2026-02-20T15:46:57.715Z", "dateUpdated": "2026-04-28T21:00:32.060Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "bravis-addons", "product": "Bravis Addons", "vendor": "Bravis-Themes", "versions": [{"lessThanOrEqual": "1.3.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:53.379Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.<p>This issue affects Bravis Addons: from n/a through <= 1.3.0.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0."}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "Using Malicious Files"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.194Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bravis-addons/vulnerability/wordpress-bravis-addons-plugin-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress Bravis Addons plugin <= 1.3.0 - Arbitrary File Upload vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T14:46:54.911726Z", "id": "CVE-2025-69403", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T21:00:32.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69403", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T14:46:54.911726Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T14:45:50.208Z"}}], "cna": {"title": "WordPress Bravis Addons plugin <= 1.3.0 - Arbitrary File Upload vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "Using Malicious Files"}]}], "affected": [{"vendor": "Bravis-Themes", "product": "Bravis Addons", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.0"}], "packageName": "bravis-addons", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:53.379Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/bravis-addons/vulnerability/wordpress-bravis-addons-plugin-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0.", "supportingMedia": [{"type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.<p>This issue affects Bravis Addons: from n/a through <= 1.3.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:31.099Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69403", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:31.099Z", "dateReserved": "2025-12-31T20:13:23.066Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:57.715Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0."}, {"lang": "es", "value": "Vulnerabilidad de carga irrestricta de archivo con tipo peligroso en Bravis-Themes Bravis Addons bravis-addons permite el uso de archivos maliciosos. Este problema afecta a Bravis Addons: desde n/a hasta &lt;= 1.1.9."}], "id": "CVE-2025-69403", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:26.157", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bravis-addons/vulnerability/wordpress-bravis-addons-plugin-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Bravis Addons", "source": "cna", "vendor": "Bravis-Themes"}, "product": "bravis_addons", "vendor": "bravis-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:24:24.238551+00:00", "value": {"mitigation_remediation": ["Upgrade Bravis Addons to a release newer than 1.3.0 to remove the upload flaw.", "Configure WordPress to allow only safe file types and enforce strict MIME type checks on uploads.", "Deploy a web application firewall rule set that blocks uploads of executable or script files and monitor the upload directory for unauthorized files."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via arbitrary file upload"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has Bravis Addons installed with a version no later than 1.3.0 is affected. The plugin vendor, Bravis\u2011Themes, acknowledges that all releases from the first public launch up to 1.3.0 lack proper upload filtering. Sites migrating to the official WordPress repository remain vulnerable until they update.", "description_and_impact": "The Bravis\u2011Themes Bravis Addons plugin up through version 1.3.0 suffers from an unrestricted upload vulnerability that permits an attacker to upload files with dangerous content. Because the plugin does not enforce file type validation or size limits, an adversary can upload executable scripts, web shells or cross\u2011site scripting payloads. Successful exploitation could lead to remote code execution, data exfiltration or denial of service against the WordPress site.", "risk_and_exploitability": "The CVSS score of 9.9 indicates critical severity. The EPSS score is under 1%, suggesting that exploit attempts are rare, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, attackers can leverage common file upload techniques; the threat is still substantial because the flaw originates in the plugin core, not merely an external dependency. The attack vector is inferred to be web\u2011based, typically through the plugin\u2019s upload interface, without requiring privileged credentials."}}}}, "created": "2026-02-23T14:36:53.848553+00:00", "updated": "2026-04-28T09:30:26.214984+00:00", "vendors": ["bravis-themes", "bravis-themes$PRODUCT$bravis_addons", "wordpress", "wordpress$PRODUCT$wordpress"]}