The WP3D Model Import Viewer plugin for WordPress suffers from an unrestricted file upload vulnerability (CWE-434) identified as CVE-2025-13094. The vulnerability arises because the handle_import_file() function does not validate the type of files being uploaded, allowing authenticated users with Author-level privileges or higher to upload arbitrary files to the server. Since WordPress roles such as Author are commonly assigned to contributors who can upload content, this vulnerability expands the attack surface significantly. By uploading malicious files, attackers can potentially execute remote code on the server, leading to full system compromise. The vulnerability affects all versions up to and including 1.0.7 of the plugin. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to gain persistent access or pivot within compromised environments. The lack of patch links indicates that a fix may not yet be publicly available, increasing urgency for mitigation.

If exploited, this vulnerability allows attackers to upload arbitrary files, including web shells or other malicious scripts, enabling remote code execution on the affected server. This can lead to full compromise of the WordPress site and potentially the underlying server infrastructure. Confidential data stored on the server can be exfiltrated or altered, website integrity can be damaged, and availability can be disrupted through destructive payloads or denial-of-service attacks. Organizations relying on this plugin risk reputational damage, data breaches, and regulatory penalties. Since the vulnerability requires only Author-level access, insider threats or compromised user accounts can be leveraged to exploit it. The broad impact on confidentiality, integrity, and availability combined with ease of exploitation makes this a critical concern for any organization using the affected plugin.

Organizations should immediately audit their WordPress installations to identify the presence of the WP3D Model Import Viewer plugin and its version. Until an official patch is released, restrict Author-level and higher user permissions to trusted individuals only. Implement web application firewall (WAF) rules to detect and block suspicious file upload attempts targeting the plugin's upload endpoints. Disable or remove the plugin if it is not essential. Monitor server logs for unusual file uploads or execution attempts. Employ file integrity monitoring to detect unauthorized changes. Additionally, configure the web server to disallow execution of uploaded files in the plugin's upload directories by setting appropriate permissions and disabling script execution. Regularly update WordPress and plugins once patches become available. Consider implementing multi-factor authentication to reduce the risk of compromised accounts.