CVE-2025-3054
BaseFortify
Publication date: 2025-06-05
Last updated on: 2025-06-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WP User Frontend Pro plugin for WordPress, where the upload_files() function lacks proper file type validation. This allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server. The vulnerability requires the 'Private Message' module to be enabled and the Business version of the PRO software to be used. Exploiting this flaw may enable remote code execution on the affected site.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can upload arbitrary files, potentially leading to remote code execution on the server. This can compromise the website's security, allowing unauthorized control, data theft, defacement, or further attacks on the server and connected systems.