CVE-2025-13094
Arbitrary File Upload in WP3D Model Import Viewer Enables RCE
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp3d_model_import_viewer | 1.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP3D Model Import Viewer plugin for WordPress has a vulnerability that allows authenticated users with Author-level access or higher to upload arbitrary files because the plugin does not properly validate file types in the handle_import_file() function. This can lead to attackers uploading malicious files to the server, potentially enabling remote code execution.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Author-level access to upload arbitrary files, which may lead to remote code execution on the affected server. This can compromise the website, allowing attackers to execute malicious code, steal data, or disrupt services.
What immediate steps should I take to mitigate this vulnerability?
Immediately disable or remove the WP3D Model Import Viewer plugin version 1.0.7 or earlier from your WordPress site, as it has been temporarily closed and removed from download availability pending a full security review. Ensure that only trusted users have Author-level access or higher, and monitor for any suspicious file uploads. Keep your WordPress and PHP versions updated to the recommended versions (WordPress 6.0 or higher and PHP 7.4 or higher). [1]