CVE-2025-13094 identifies a critical vulnerability in the WP3D Model Import Viewer plugin for WordPress, affecting all versions up to 1.0.7. The root cause is the absence of proper file type validation in the handle_import_file() function, which processes uploaded files. Authenticated users with Author-level permissions or higher can exploit this flaw to upload arbitrary files, including potentially malicious scripts, to the web server hosting the WordPress site. Because the plugin does not restrict file extensions or validate file contents, attackers can upload executable code such as PHP scripts. This can lead to remote code execution (RCE), allowing attackers to execute arbitrary commands on the server, escalate privileges, steal sensitive data, or disrupt service availability. The vulnerability requires authentication but no additional user interaction, and the attack vector is network accessible (remote). The CVSS 3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and limited privileges required. Although no public exploits are reported yet, the vulnerability's nature and ease of exploitation make it a significant threat. The lack of available patches at the time of publication necessitates immediate defensive measures. The vulnerability is classified under CWE-434, which concerns unrestricted file upload vulnerabilities that can lead to code execution or other severe consequences.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress sites with the WP3D Model Import Viewer plugin installed. Successful exploitation can lead to full compromise of the web server, exposing sensitive customer data, intellectual property, and internal systems. This can result in data breaches, defacement of websites, disruption of business operations, and potential regulatory penalties under GDPR due to loss of data confidentiality and integrity. The ability to execute arbitrary code remotely can also serve as a foothold for lateral movement within corporate networks, increasing the scope of compromise. Organizations in sectors such as e-commerce, government, education, and media, which frequently use WordPress, are particularly vulnerable. The threat is exacerbated by the fact that attackers only need Author-level access, which may be obtained through phishing or credential theft, making the attack vector more accessible. The lack of public exploits currently provides a small window for mitigation, but the high CVSS score indicates that the impact of exploitation would be severe.

1. Immediately audit WordPress installations to identify the presence of the WP3D Model Import Viewer plugin and its version. 2. Disable or remove the plugin until a security patch or update is released by the vendor. 3. Restrict user roles and permissions rigorously, ensuring that only trusted users have Author-level or higher access. 4. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts, especially targeting the plugin's upload endpoints. 5. Monitor server logs and file systems for unusual file uploads or modifications, particularly for executable file types like .php, .phtml, or other script extensions. 6. Employ file integrity monitoring solutions to detect unauthorized changes. 7. Harden the web server configuration to prevent execution of uploaded files in upload directories (e.g., disable PHP execution in upload folders). 8. Educate users about phishing and credential security to reduce the risk of compromised accounts with Author-level access. 9. Once available, promptly apply official patches or updates from the plugin vendor. 10. Consider implementing multi-factor authentication (MFA) for WordPress accounts to reduce the risk of unauthorized access.