CVE-2025-3917: CWE-434 Unrestricted Upload of File with Dangerous Type in kelerkgibo 百度站长SEO合集(支持百度/神马/Bing/头条推送)
The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
AI Analysis
Technical Summary
CVE-2025-3917 is a critical vulnerability affecting the WordPress plugin 百度站长SEO合集(支持百度/神马/Bing/头条推送) developed by kelerkgibo. The vulnerability arises from the download_remote_image_to_media_library function, which lacks proper file type validation, allowing unauthenticated attackers to upload arbitrary files to the affected server. This is classified under CWE-434, which pertains to unrestricted file upload vulnerabilities. Because the plugin does not restrict or validate the types of files being uploaded, attackers can upload malicious files such as web shells or scripts that can be executed remotely, potentially leading to remote code execution (RCE). The vulnerability affects all versions up to and including 2.0.6. The CVSS v3.1 score is 9.8 (critical), reflecting the high impact and ease of exploitation: no authentication or user interaction is required, and the attack vector is network-based. Exploiting this vulnerability could compromise the confidentiality, integrity, and availability of the affected web server and its data. Although no public exploits have been reported yet, the severity and nature of the vulnerability make it a prime target for attackers once exploit code becomes available. The plugin is used primarily in Chinese-language SEO contexts, but since WordPress is globally deployed, any European organization using this plugin is at risk. The vulnerability is particularly dangerous because it allows attackers to bypass typical security controls by uploading files that can be executed on the server, potentially leading to full system compromise.
Potential Impact
For European organizations, the impact of this vulnerability could be severe. Organizations running WordPress sites with this plugin could face unauthorized access, data breaches, and service disruptions. Attackers could deploy web shells to maintain persistent access, steal sensitive data, or pivot to internal networks. This could lead to reputational damage, regulatory penalties under GDPR due to data breaches, and operational downtime. Given that the vulnerability requires no authentication and no user interaction, even publicly accessible websites are at risk. The ability to execute arbitrary code remotely could allow attackers to deface websites, inject malicious content, or use compromised servers as part of larger botnets or attack campaigns. This is especially critical for European companies in sectors such as finance, healthcare, and government that rely on WordPress for public-facing or internal web services. The lack of an official patch at the time of disclosure increases the urgency for mitigation.
Mitigation Recommendations
Immediate mitigation steps include: 1) Removing or disabling the vulnerable plugin until a patched version is released. 2) Implementing web application firewall (WAF) rules to block suspicious file upload attempts, particularly those targeting the download_remote_image_to_media_library function or unusual file extensions. 3) Restricting file upload permissions on the server to prevent execution of uploaded files, for example by disabling execution in upload directories via web server configuration (e.g., using .htaccess or nginx config). 4) Monitoring server logs for unusual upload activity or access patterns indicative of exploitation attempts. 5) Employing intrusion detection/prevention systems (IDS/IPS) tuned to detect web shell signatures. 6) Regularly updating WordPress core and plugins to the latest versions once patches are available. 7) Conducting security audits and penetration testing focused on file upload functionalities. 8) Educating site administrators about the risks of installing unvetted plugins and the importance of timely updates. These steps go beyond generic advice by focusing on immediate containment, detection, and prevention tailored to this specific vulnerability and its exploitation vector.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Austria
CVE-2025-3917: CWE-434 Unrestricted Upload of File with Dangerous Type in kelerkgibo 百度站长SEO合集(支持百度/神马/Bing/头条推送)
Description
The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
AI-Powered Analysis
Technical Analysis
CVE-2025-3917 is a critical vulnerability affecting the WordPress plugin 百度站长SEO合集(支持百度/神马/Bing/头条推送) developed by kelerkgibo. The vulnerability arises from the download_remote_image_to_media_library function, which lacks proper file type validation, allowing unauthenticated attackers to upload arbitrary files to the affected server. This is classified under CWE-434, which pertains to unrestricted file upload vulnerabilities. Because the plugin does not restrict or validate the types of files being uploaded, attackers can upload malicious files such as web shells or scripts that can be executed remotely, potentially leading to remote code execution (RCE). The vulnerability affects all versions up to and including 2.0.6. The CVSS v3.1 score is 9.8 (critical), reflecting the high impact and ease of exploitation: no authentication or user interaction is required, and the attack vector is network-based. Exploiting this vulnerability could compromise the confidentiality, integrity, and availability of the affected web server and its data. Although no public exploits have been reported yet, the severity and nature of the vulnerability make it a prime target for attackers once exploit code becomes available. The plugin is used primarily in Chinese-language SEO contexts, but since WordPress is globally deployed, any European organization using this plugin is at risk. The vulnerability is particularly dangerous because it allows attackers to bypass typical security controls by uploading files that can be executed on the server, potentially leading to full system compromise.
Potential Impact
For European organizations, the impact of this vulnerability could be severe. Organizations running WordPress sites with this plugin could face unauthorized access, data breaches, and service disruptions. Attackers could deploy web shells to maintain persistent access, steal sensitive data, or pivot to internal networks. This could lead to reputational damage, regulatory penalties under GDPR due to data breaches, and operational downtime. Given that the vulnerability requires no authentication and no user interaction, even publicly accessible websites are at risk. The ability to execute arbitrary code remotely could allow attackers to deface websites, inject malicious content, or use compromised servers as part of larger botnets or attack campaigns. This is especially critical for European companies in sectors such as finance, healthcare, and government that rely on WordPress for public-facing or internal web services. The lack of an official patch at the time of disclosure increases the urgency for mitigation.
Mitigation Recommendations
Immediate mitigation steps include: 1) Removing or disabling the vulnerable plugin until a patched version is released. 2) Implementing web application firewall (WAF) rules to block suspicious file upload attempts, particularly those targeting the download_remote_image_to_media_library function or unusual file extensions. 3) Restricting file upload permissions on the server to prevent execution of uploaded files, for example by disabling execution in upload directories via web server configuration (e.g., using .htaccess or nginx config). 4) Monitoring server logs for unusual upload activity or access patterns indicative of exploitation attempts. 5) Employing intrusion detection/prevention systems (IDS/IPS) tuned to detect web shell signatures. 6) Regularly updating WordPress core and plugins to the latest versions once patches are available. 7) Conducting security audits and penetration testing focused on file upload functionalities. 8) Educating site administrators about the risks of installing unvetted plugins and the importance of timely updates. These steps go beyond generic advice by focusing on immediate containment, detection, and prevention tailored to this specific vulnerability and its exploitation vector.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-24T10:22:46.708Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec6bb
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 11:28:41 AM
Last updated: 8/6/2025, 7:25:44 AM
Views: 10
Related Threats
CVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumCVE-2025-8418: CWE-862 Missing Authorization in bplugins B Slider- Gutenberg Slider Block for WP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.