CVE-2025-10041
BaseFortify
Publication date: 2025-10-15
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | flex_qr_code_generator | 1.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Flex QR Code Generator WordPress plugin (up to version 1.2.5) allows unauthenticated attackers to upload arbitrary files to the affected site's server due to missing file type validation in the save_qr_code_to_db() function. This occurs because the plugin does not properly validate or sanitize file uploads, enabling attackers to potentially execute remote code on the server by uploading malicious files. [3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized file uploads by attackers, which may lead to remote code execution on the server hosting the WordPress site. This can result in full compromise of the website, data theft, defacement, or use of the server for malicious activities. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring for unauthorized file uploads to the WordPress uploads directory, especially files uploaded via AJAX endpoints related to the Flex QR Code Generator plugin (e.g., flexqr_save_qr, flexqr_update_qr). You can check for suspicious files or recently modified files in the uploads directory. Example commands include: 1) Listing recently modified files in the uploads directory: `find wp-content/uploads/ -type f -mtime -7` 2) Searching web server logs for POST requests to AJAX endpoints: `grep 'POST.*flexqr_save_qr' /var/log/apache2/access.log` or `grep 'POST.*flexqr_update_qr' /var/log/apache2/access.log` 3) Checking for unexpected PHP or executable files in uploads: `find wp-content/uploads/ -type f \( -name '*.php' -o -name '*.exe' -o -name '*.sh' \)` [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Temporarily disabling or uninstalling the Flex QR Code Generator plugin until a patched version is available. 2) Restricting file upload permissions on the WordPress uploads directory to prevent execution of uploaded files. 3) Monitoring and removing any suspicious files uploaded via the plugin's AJAX endpoints. 4) Applying web application firewall (WAF) rules to block unauthorized POST requests to the plugin's AJAX endpoints (e.g., flexqr_save_qr, flexqr_update_qr). 5) Keeping WordPress and all plugins updated and reviewing user permissions to limit unauthenticated access. Note that the plugin has been temporarily closed and unavailable for download since October 14, 2025, pending a full review. [2, 3]